def test_rootdn_access_allowed_host(topology):
'''
Test allowed ip feature
'''
log.info('Running test_rootdn_access_allowed_host...')
#
# Set allowed host to an unknown host - blocks the Root DN
#
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-allow-host', 'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' +
e.message['desc'])
assert False
#
# Bind as Root DN - should fail
#
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal('test_rootdn_access_allowed_host: Root DN was incorrectly able to bind')
assert False
#
# Allow localhost
#
try:
topology.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1')
assert False
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-allow-host',
localhost)])
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-allow-host',
hostname)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
#
# Cleanup - undo everything we did so the next test has a clean slate
#
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
log.info('test_rootdn_access_allowed_host: PASSED')
from lib389.properties import *
from lib389.tasks import *
from lib389.utils import *
from lib389.idm.directorymanager import DirectoryManager
from lib389.idm.user import UserAccounts
from lib389.topologies import topology_st
pytestmark = pytest.mark.tier3
logging.getLogger(__name__).setLevel(logging.DEBUG)
log = logging.getLogger(__name__)
MAX_CONNS = 10000000
MAX_THREADS = 20
STOP = False
HOSTNAME = DirSrvTools.getLocalhost()
PORT = 389
NUNC_STANS = False
def signalHandler(signal, frame):
"""
handle control-C cleanly
"""
global STOP
STOP = True
sys.exit(0)
def init(inst):
"""Set the idle timeout, and add sample entries
def test_rootdn_access_denied_host(topology):
'''
Test denied Host feature - we can just test denying localhost
'''
log.info('Running test_rootdn_access_denied_host...')
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-deny-host',
hostname)])
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-deny-host',
localhost)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Failed to set deny host: error ' +
e.message['desc'])
assert False
#
# Bind as Root DN - should fail
#
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal('test_rootdn_access_denied_host: Root DN was incorrectly able to bind')
assert False
#
# Change the denied host so root DN succeeds
#
try:
topology.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: : failed to bind as user1')
assert False
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-deny-host', 'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
#
# Cleanup - undo the changes we made so the next test has a clean slate
#
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
log.info('test_rootdn_access_denied_host: PASSED')
import pytest
import uuid
from lib389.utils import *
from lib389.tasks import *
from lib389.tools import DirSrvTools
from lib389.topologies import topology_st
from lib389._constants import DEFAULT_SUFFIX, DN_DM, PASSWORD
from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
from lib389.plugins import RootDNAccessControlPlugin
pytestmark = pytest.mark.tier1
logging.getLogger(__name__).setLevel(logging.DEBUG)
log = logging.getLogger(__name__)
localhost = DirSrvTools.getLocalhost()
hostname = socket.gethostname()
@pytest.fixture(scope="function")
def rootdn_cleanup(topology_st):
"""Do a cleanup of the config area before the test """
log.info('Cleaning up the config area')
plugin = RootDNAccessControlPlugin(topology_st.standalone)
plugin.remove_all_allow_host()
plugin.remove_all_deny_host()
plugin.remove_all_allow_ip()
plugin.remove_all_deny_ip()
@pytest.fixture(scope="module")
from lib389.properties import *
from lib389.tasks import *
from lib389.utils import *
DEBUGGING = False
if DEBUGGING:
logging.getLogger(__name__).setLevel(logging.DEBUG)
else:
logging.getLogger(__name__).setLevel(logging.INFO)
log = logging.getLogger(__name__)
MAX_CONNS = 10000000
MAX_THREADS = 20
STOP = False
HOSTNAME = DirSrvTools.getLocalhost()
PORT = 389
class TopologyStandalone(object):
"""The DS Topology Class"""
def __init__(self, standalone):
"""Init"""
standalone.open()
self.standalone = standalone
@pytest.fixture(scope="module")
def topology(request):
"""Create DS Deployment"""
def test_rootdn_access_allowed_host(topology_st):
'''
Test allowed ip feature
'''
log.info('Running test_rootdn_access_allowed_host...')
#
# Set allowed host to an unknown host - blocks the Root DN
#
try:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_REPLACE, 'rootdn-allow-host', b'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Failed to set allowed host: error {}'
.format(e))
assert False
#
# Bind as Root DN - should fail
#
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal(
'test_rootdn_access_allowed_host: Root DN was incorrectly able to bind'
)
assert False
#
# Allow localhost
#
try:
topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1')
assert False
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology_st.standalone.modify_s(
PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)])
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(localhost))])
if hostname != localhost:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(hostname))])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Failed to set allowed host: error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
#
# Cleanup - undo everything we did so the next test has a clean slate
#
try:
topology_st.standalone.modify_s(
PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
log.info('test_rootdn_access_allowed_host: PASSED')
def test_rootdn_access_denied_host(topology_st):
'''
Test denied Host feature - we can just test denying localhost
'''
log.info('Running test_rootdn_access_denied_host...')
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(hostname))])
if localhost != hostname:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(localhost))])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Failed to set deny host: error {}'
.format(e))
assert False
#
# Bind as Root DN - should fail
#
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal(
'test_rootdn_access_denied_host: Root DN was incorrectly able to bind'
)
assert False
#
# Change the denied host so root DN succeeds
#
try:
topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: : failed to bind as user1')
assert False
try:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_REPLACE, 'rootdn-deny-host', b'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
#
# Cleanup - undo the changes we made so the next test has a clean slate
#
try:
topology_st.standalone.modify_s(
PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
log.info('test_rootdn_access_denied_host: PASSED')
