def test_rootdn_access_allowed_host(topology): ''' Test allowed ip feature ''' log.info('Running test_rootdn_access_allowed_host...') # # Set allowed host to an unknown host - blocks the Root DN # try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-allow-host', 'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' + e.message['desc']) assert False # # Bind as Root DN - should fail # try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal('test_rootdn_access_allowed_host: Root DN was incorrectly able to bind') assert False # # Allow localhost # try: topology.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1') assert False hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', localhost)]) topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', hostname)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False # # Cleanup - undo everything we did so the next test has a clean slate # try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False log.info('test_rootdn_access_allowed_host: PASSED')
from lib389.properties import * from lib389.tasks import * from lib389.utils import * from lib389.idm.directorymanager import DirectoryManager from lib389.idm.user import UserAccounts from lib389.topologies import topology_st pytestmark = pytest.mark.tier3 logging.getLogger(__name__).setLevel(logging.DEBUG) log = logging.getLogger(__name__) MAX_CONNS = 10000000 MAX_THREADS = 20 STOP = False HOSTNAME = DirSrvTools.getLocalhost() PORT = 389 NUNC_STANS = False def signalHandler(signal, frame): """ handle control-C cleanly """ global STOP STOP = True sys.exit(0) def init(inst): """Set the idle timeout, and add sample entries
def test_rootdn_access_denied_host(topology): ''' Test denied Host feature - we can just test denying localhost ''' log.info('Running test_rootdn_access_denied_host...') hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', hostname)]) topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', localhost)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Failed to set deny host: error ' + e.message['desc']) assert False # # Bind as Root DN - should fail # try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal('test_rootdn_access_denied_host: Root DN was incorrectly able to bind') assert False # # Change the denied host so root DN succeeds # try: topology.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: : failed to bind as user1') assert False try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-deny-host', 'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False # # Cleanup - undo the changes we made so the next test has a clean slate # try: topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)]) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' + e.message['desc']) assert False try: topology.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' + e.message['desc']) assert False log.info('test_rootdn_access_denied_host: PASSED')
import pytest import uuid from lib389.utils import * from lib389.tasks import * from lib389.tools import DirSrvTools from lib389.topologies import topology_st from lib389._constants import DEFAULT_SUFFIX, DN_DM, PASSWORD from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES from lib389.plugins import RootDNAccessControlPlugin pytestmark = pytest.mark.tier1 logging.getLogger(__name__).setLevel(logging.DEBUG) log = logging.getLogger(__name__) localhost = DirSrvTools.getLocalhost() hostname = socket.gethostname() @pytest.fixture(scope="function") def rootdn_cleanup(topology_st): """Do a cleanup of the config area before the test """ log.info('Cleaning up the config area') plugin = RootDNAccessControlPlugin(topology_st.standalone) plugin.remove_all_allow_host() plugin.remove_all_deny_host() plugin.remove_all_allow_ip() plugin.remove_all_deny_ip() @pytest.fixture(scope="module")
from lib389.properties import * from lib389.tasks import * from lib389.utils import * DEBUGGING = False if DEBUGGING: logging.getLogger(__name__).setLevel(logging.DEBUG) else: logging.getLogger(__name__).setLevel(logging.INFO) log = logging.getLogger(__name__) MAX_CONNS = 10000000 MAX_THREADS = 20 STOP = False HOSTNAME = DirSrvTools.getLocalhost() PORT = 389 class TopologyStandalone(object): """The DS Topology Class""" def __init__(self, standalone): """Init""" standalone.open() self.standalone = standalone @pytest.fixture(scope="module") def topology(request): """Create DS Deployment"""
def test_rootdn_access_allowed_host(topology_st): ''' Test allowed ip feature ''' log.info('Running test_rootdn_access_allowed_host...') # # Set allowed host to an unknown host - blocks the Root DN # try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-allow-host', b'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Failed to set allowed host: error {}' .format(e)) assert False # # Bind as Root DN - should fail # try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal( 'test_rootdn_access_allowed_host: Root DN was incorrectly able to bind' ) assert False # # Allow localhost # try: topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1') assert False hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)]) topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(localhost))]) if hostname != localhost: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(hostname))]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Failed to set allowed host: error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False # # Cleanup - undo everything we did so the next test has a clean slate # try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False log.info('test_rootdn_access_allowed_host: PASSED')
def test_rootdn_access_denied_host(topology_st): ''' Test denied Host feature - we can just test denying localhost ''' log.info('Running test_rootdn_access_denied_host...') hostname = socket.gethostname() localhost = DirSrvTools.getLocalhost() try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(hostname))]) if localhost != hostname: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(localhost))]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Failed to set deny host: error {}' .format(e)) assert False # # Bind as Root DN - should fail # try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) succeeded = True except ldap.LDAPError as e: succeeded = False if succeeded: log.fatal( 'test_rootdn_access_denied_host: Root DN was incorrectly able to bind' ) assert False # # Change the denied host so root DN succeeds # try: topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD) except ldap.LDAPError as e: log.fatal('test_rootdn_access_denied_host: : failed to bind as user1') assert False try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-deny-host', b'i.dont.exist.com')]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False # # Cleanup - undo the changes we made so the next test has a clean slate # try: topology_st.standalone.modify_s( PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)]) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}' .format(e)) assert False try: topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) except ldap.LDAPError as e: log.fatal( 'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}' .format(e)) assert False log.info('test_rootdn_access_denied_host: PASSED')