def setupSSL_test(): ssl_args = { 'dirsrv': conn, 'secport': 22636, 'sourcedir': None, 'secargs': { 'nsSSLPersonalitySSL': 'localhost' }, } cert_dir = conn.getDseAttr('nsslapd-certdir') assert cert_dir, "Cannot retrieve cert dir" log.info("Initialize the cert store with an empty password: %r", cert_dir) fd_null = open('/dev/null', 'w') open('%s/pin.txt' % cert_dir, 'w').close() cmd_initialize = 'certutil -d %s -N -f %s/pin.txt' % (cert_dir, cert_dir) Popen(cmd_initialize.split(), stderr=fd_null) log.info("Creating a self-signed cert for the server in %r" % cert_dir) cmd_mkcert = ('certutil -d %s -S -n localhost -t CTu,Cu,Cu ' '-s cn=localhost -x' % cert_dir) Popen(cmd_mkcert.split(), stdin=open("/dev/urandom"), stderr=fd_null) log.info("Testing ssl configuration") ssl_args.update({'dirsrv': conn}) DirSrvTools.setupSSL(**ssl_args)
def stop_start_test(): # dunno why DirSrv.start|stop writes to dirsrv error-log conn.errlog = "/tmp/dirsrv-errlog" open(conn.errlog, "w").close() DirSrvTools.stop(conn) log.info("server stopped") DirSrvTools.start(conn) log.info("server start") time.sleep(5) # save and restore conn settings after restart tmp = conn.added_backends, conn.added_entries setup() conn.added_backends, conn.added_entries = tmp assert conn.search_s( *utils.searches['NAMINGCONTEXTS']), "Missing namingcontexts"
def setupSSL_test(): ssl_args = { 'dirsrv': conn, 'secport': 22636, 'sourcedir': None, 'secargs': {'nsSSLPersonalitySSL': 'localhost'}, } cert_dir = conn.getDseAttr('nsslapd-certdir') assert cert_dir, "Cannot retrieve cert dir" log.info("Initialize the cert store with an empty password: %r", cert_dir) fd_null = open('/dev/null', 'w') open('%s/pin.txt' % cert_dir, 'w').close() cmd_initialize = 'certutil -d %s -N -f %s/pin.txt' % (cert_dir, cert_dir) Popen(cmd_initialize.split(), stderr=fd_null) log.info("Creating a self-signed cert for the server in %r" % cert_dir) cmd_mkcert = 'certutil -d %s -S -n localhost -t CTu,Cu,Cu -s cn=localhost -x' % cert_dir Popen(cmd_mkcert.split(), stdin=open("/dev/urandom"), stderr=fd_null) log.info("Testing ssl configuration") ssl_args.update({'dirsrv': conn}) DirSrvTools.setupSSL(**ssl_args)
def validate_hostname(self): if getdomainname() == "": # Should we return a message? raise AssertionError("Host does not have a domain name.") DirSrvTools.searchHostsFile(getfqdn())
from lib389.properties import * from lib389.tasks import * from lib389.utils import * from lib389.idm.directorymanager import DirectoryManager from lib389.idm.user import UserAccounts from lib389.topologies import topology_st pytestmark = pytest.mark.tier3 logging.getLogger(__name__).setLevel(logging.DEBUG) log = logging.getLogger(__name__) MAX_CONNS = 10000000 MAX_THREADS = 20 STOP = False HOSTNAME = DirSrvTools.getLocalhost() PORT = 389 NUNC_STANS = False def signalHandler(signal, frame): """ handle control-C cleanly """ global STOP STOP = True sys.exit(0) def init(inst): """Set the idle timeout, and add sample entries
def default_test(): host = socket.gethostname() port = 10200 binddn = "cn=directory manager" bindpw = "password" suffix = 'dc=example,dc=com' basedn = DN_CONFIG scope = ldap.SCOPE_BASE filt = "(objectclass=*)" instance_name = ['m1', 'm2'] instance_config = { 'cfgdshost': host, 'cfgdsport': port, 'cfgdsuser': '******', 'cfgdspwd': 'admin', 'newrootpw': 'password', 'newhost': host, 'newport': port, 'newinstance': instance_name[0], 'newsuffix': suffix, 'setup_admin': True, } try: m1 = DirSrv(host, port, binddn, bindpw) except: m1 = DirSrvTools.createInstance(instance_config, verbose=0) added_instances.append(instance_config['newinstance']) # filename = "%s/slapd-%s/ldif/Example.ldif" % (m1.sroot, m1.inst) # m1.importLDIF(filename, "dc=example,dc=com", None, True) # m1.exportLDIF('/tmp/ldif', "dc=example,dc=com", False, True) print (m1.sroot, m1.inst, m1.errlog) ent = m1.getEntry(basedn, scope, filt, None) if ent: print (ent.passwordmaxage) instance_config.update({ 'newinstance': instance_name[1], 'newport': port + 10, }) m1 = DirSrvTools.createInstance(instance_config, verbose=0) added_instances.append(instance_config['newinstance']) # m1.stop(True) # m1.start(True) suffix = "dc=example2,dc=com" bename = "example2db" backendEntry, dummy = m1.backend.add(suffix, bename) suffixEntry = m1.backend.setup_mt(suffix, bename) cn = backendEntry.getValue('cn') print (cn) entry = m1.getEntry(DN_CONFIG, ldap.SCOPE_SUBTREE, "(cn=" + cn + ")") print ("new backend entry is:") print (entry) print (entry.getValues('objectclass')) print (entry.OBJECTCLASS) results = m1.search_s("cn=monitor", ldap.SCOPE_SUBTREE) print (results) results = m1.getBackendsForSuffix("dc=example,dc=com") print (results) print ("done")
def test_rootdn_access_allowed_host(topology): ''' Test allowed ip feature ''' log.info('Running test_rootdn_access_allowed_host...') # # Set allowed host to an unknown host - blocks the Root DN # try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-allow-host', 'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' + e.message['desc']) assert False # # Bind as Root DN - should fail # try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal('test_rootdn_access_allowed_host: Root DN was incorrectly able to bind') assert False # # Allow localhost # try: topology.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1') assert False hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', localhost)]) topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', hostname)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False # # Cleanup - undo everything we did so the next test has a clean slate # try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False log.info('test_rootdn_access_allowed_host: PASSED')
def test_rootdn_access_denied_host(topology): ''' Test denied Host feature - we can just test denying localhost ''' log.info('Running test_rootdn_access_denied_host...') hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', hostname)]) topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', localhost)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Failed to set deny host: error ' + e.message['desc']) assert False # # Bind as Root DN - should fail # try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal('test_rootdn_access_denied_host: Root DN was incorrectly able to bind') assert False # # Change the denied host so root DN succeeds # try: topology.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: : failed to bind as user1') assert False try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-deny-host', 'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False # # Cleanup - undo the changes we made so the next test has a clean slate # try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False log.info('test_rootdn_access_denied_host: PASSED')
import pytest import uuid from lib389.utils import * from lib389.tasks import * from lib389.tools import DirSrvTools from lib389.topologies import topology_st from lib389._constants import DEFAULT_SUFFIX, DN_DM, PASSWORD from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES from lib389.plugins import RootDNAccessControlPlugin pytestmark = pytest.mark.tier1 logging.getLogger(__name__).setLevel(logging.DEBUG) log = logging.getLogger(__name__) localhost = DirSrvTools.getLocalhost() hostname = socket.gethostname() @pytest.fixture(scope="function") def rootdn_cleanup(topology_st): """Do a cleanup of the config area before the test """ log.info('Cleaning up the config area') plugin = RootDNAccessControlPlugin(topology_st.standalone) plugin.remove_all_allow_host() plugin.remove_all_deny_host() plugin.remove_all_allow_ip() plugin.remove_all_deny_ip() @pytest.fixture(scope="module")
from lib389.properties import * from lib389.tasks import * from lib389.utils import * DEBUGGING = False if DEBUGGING: logging.getLogger(__name__).setLevel(logging.DEBUG) else: logging.getLogger(__name__).setLevel(logging.INFO) log = logging.getLogger(__name__) MAX_CONNS = 10000000 MAX_THREADS = 20 STOP = False HOSTNAME = DirSrvTools.getLocalhost() PORT = 389 class TopologyStandalone(object): """The DS Topology Class""" def __init__(self, standalone): """Init""" standalone.open() self.standalone = standalone @pytest.fixture(scope="module") def topology(request): """Create DS Deployment"""
def test_rootdn_access_allowed_host(topology_st): ''' Test allowed ip feature ''' log.info('Running test_rootdn_access_allowed_host...') # # Set allowed host to an unknown host - blocks the Root DN # try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-allow-host', b'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Failed to set allowed host: error {}' .format(e)) assert False # # Bind as Root DN - should fail # try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal( 'test_rootdn_access_allowed_host: Root DN was incorrectly able to bind' ) assert False # # Allow localhost # try: topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1') assert False hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)]) topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(localhost))]) if hostname != localhost: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(hostname))]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Failed to set allowed host: error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False # # Cleanup - undo everything we did so the next test has a clean slate # try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False log.info('test_rootdn_access_allowed_host: PASSED')
def test_rootdn_access_denied_host(topology_st): ''' Test denied Host feature - we can just test denying localhost ''' log.info('Running test_rootdn_access_denied_host...') hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(hostname))]) if localhost != hostname: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(localhost))]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Failed to set deny host: error {}' .format(e)) assert False # # Bind as Root DN - should fail # try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal( 'test_rootdn_access_denied_host: Root DN was incorrectly able to bind' ) assert False # # Change the denied host so root DN succeeds # try: topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: : failed to bind as user1') assert False try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-deny-host', b'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False # # Cleanup - undo the changes we made so the next test has a clean slate # try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False log.info('test_rootdn_access_denied_host: PASSED')