def enable_user_attr_encryption(topo, request):
""" Enables attribute encryption for various attributes
Adds a test user with encrypted attributes
"""
log.info("Enable TLS for attribute encryption")
topo.standalone.enable_tls()
log.info("Enables attribute encryption")
backends = Backends(topo.standalone)
backend = backends.list()[0]
encrypt_attrs = EncryptedAttrs(topo.standalone, basedn='cn=encrypted attributes,{}'.format(backend.dn))
log.info("Enables attribute encryption for employeeNumber and telephoneNumber")
emp_num_encrypt = encrypt_attrs.create(properties={'cn': 'employeeNumber', 'nsEncryptionAlgorithm': 'AES'})
telephone_encrypt = encrypt_attrs.create(properties={'cn': 'telephoneNumber', 'nsEncryptionAlgorithm': '3DES'})
log.info("Add a test user with encrypted attributes")
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
test_user = users.create(properties=TEST_USER_PROPERTIES)
test_user.replace('employeeNumber', '1000')
test_user.replace('telephoneNumber', '1234567890')
def fin():
log.info("Remove attribute encryption for various attributes")
emp_num_encrypt.delete()
telephone_encrypt.delete()
request.addfinalizer(fin)
return test_user
def del_encrypted_attr(self, attr_name):
"""Delete encrypted attribute
:param attr_name - Name of the encrypted attribute to delete
"""
enc_attrs = EncryptedAttrs(self._instance, basedn="cn=encrypted attributes," + self._dn).list()
for enc_attr in enc_attrs:
attr = enc_attr.get_attr_val_utf8_l('cn').lower()
if attr_name == attr.lower():
enc_attr.delete()
break
def get_encrypted_attrs(self, just_names=False):
"""Get a list of the excrypted attributes
:param just_names - If True only the encrypted attribute names are returned (instead of the full attribute entry)
:returns - a list of attributes
"""
attrs = EncryptedAttrs(self._instance, basedn=self._dn).list()
if just_names:
results = []
for attr in attrs:
results.append(attr.get_attr_val_utf8_l('cn'))
return results
else:
return attrs
def test_be_delete(topo):
"""Test that we can delete a backend that contains replication
configuration and encrypted attributes. The default naming
context should also be updated to reflect the next available suffix
:id: 5208f897-7c95-4925-bad0-9ceb95fee678
:setup: Master Instance
:steps:
1. Create second backend/suffix
2. Add an encrypted attribute to the default suffix
3. Delete default suffix
4. Check the nsslapd-defaultnamingcontext is updated
5. Delete the last backend
6. Check the namingcontext has not changed
7. Add new backend
8. Set default naming context
9. Verify the naming context is correct
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Success
"""
inst = topo.ms["master1"]
# Create second suffix
backends = Backends(inst)
default_backend = backends.get(DEFAULT_SUFFIX)
new_backend = backends.create(properties={
'nsslapd-suffix': SECOND_SUFFIX,
'name': 'namingRoot'
})
# Add encrypted attribute entry under default suffix
encrypt_attrs = EncryptedAttrs(inst,
basedn='cn=encrypted attributes,{}'.format(
default_backend.dn))
encrypt_attrs.create(properties={
'cn': 'employeeNumber',
'nsEncryptionAlgorithm': 'AES'
})
# Delete default suffix
default_backend.delete()
# Check that the default naming context is set to the new/second suffix
default_naming_ctx = inst.config.get_attr_val_utf8(
'nsslapd-defaultnamingcontext')
assert default_naming_ctx == SECOND_SUFFIX
# delete new backend, but the naming context should not change
new_backend.delete()
# Check that the default naming context is still set to the new/second suffix
default_naming_ctx = inst.config.get_attr_val_utf8(
'nsslapd-defaultnamingcontext')
assert default_naming_ctx == SECOND_SUFFIX
# Add new backend
new_backend = backends.create(properties={
'nsslapd-suffix': THIRD_SUFFIX,
'name': 'namingRoot2'
})
# manaully set naming context
inst.config.set('nsslapd-defaultnamingcontext', THIRD_SUFFIX)
# Verify naming context is correct
default_naming_ctx = inst.config.get_attr_val_utf8(
'nsslapd-defaultnamingcontext')
assert default_naming_ctx == THIRD_SUFFIX
def test_attr_encryption_backends(topo, enable_user_attr_encryption):
"""Tests Configuration of attribute encryption for single backend
where more backends are present
:id: f3ef40e1-17d6-44d8-a3a4-4a25a57e9064
:setup: Standalone instance
SSL Enabled
:steps:
1. Add two test backends
2. Configure attribute encryption for telephoneNumber in one test backend
3. Add a test user in both backends with telephoneNumber
4. Export ldif from both test backends
5. Check that telephoneNumber is encrypted in the ldif file of db1
6. Check that telephoneNumber is not encrypted in the ldif file of db2
7. Delete both test backends
:expectedresults:
1. This should be successful
2. This should be successful
3. This should be successful
4. This should be successful
5. This should be successful
6. This should be successful
7. This should be successful
"""
log.info("Add two test backends")
test_suffix1 = 'dc=test1,dc=com'
test_db1 = 'test_db1'
test_suffix2 = 'dc=test2,dc=com'
test_db2 = 'test_db2'
# Create backends
backends = Backends(topo.standalone)
test_backend1 = backends.create(properties={'cn': test_db1,
'nsslapd-suffix': test_suffix1})
test_backend2 = backends.create(properties={'cn': test_db2,
'nsslapd-suffix': test_suffix2})
# Create the top of the tree
suffix1 = Domain(topo.standalone, test_suffix1)
test1 = suffix1.create(properties={'dc': 'test1'})
suffix2 = Domain(topo.standalone, test_suffix2)
test2 = suffix2.create(properties={'dc': 'test2'})
log.info("Enables attribute encryption for telephoneNumber in test_backend1")
backend1_encrypt_attrs = EncryptedAttrs(topo.standalone, basedn='cn=encrypted attributes,{}'.format(test_backend1.dn))
b1_encrypt = backend1_encrypt_attrs.create(properties={'cn': 'telephoneNumber',
'nsEncryptionAlgorithm': 'AES'})
log.info("Add a test user with telephoneNumber in both backends")
users = UserAccounts(topo.standalone, test1.dn, None)
test_user = users.create(properties=TEST_USER_PROPERTIES)
test_user.replace('telephoneNumber', '1234567890')
users = UserAccounts(topo.standalone, test2.dn, None)
test_user = users.create(properties=TEST_USER_PROPERTIES)
test_user.replace('telephoneNumber', '1234567890')
log.info("Export data as ciphertext from both backends")
export_db1 = os.path.join(topo.standalone.ds_paths.ldif_dir, "export_db1.ldif")
export_db2 = os.path.join(topo.standalone.ds_paths.ldif_dir, "export_db2.ldif")
# Offline export
topo.standalone.stop()
if not topo.standalone.db2ldif(bename=test_db1, suffixes=(test_suffix1,),
excludeSuffixes=None, encrypt=False, repl_data=None, outputfile=export_db1):
log.fatal('Failed to run offline db2ldif')
assert False
if not topo.standalone.db2ldif(bename=test_db2, suffixes=(test_suffix2,),
excludeSuffixes=None, encrypt=False, repl_data=None, outputfile=export_db2):
log.fatal('Failed to run offline db2ldif')
assert False
topo.standalone.start()
log.info("Check that the attribute is present in the exported file in db1")
log.info("Check that the encrypted value of attribute is not present in the exported file in db1")
with open(export_db1, 'r') as ldif_file:
ldif = ldif_file.read()
assert 'telephoneNumber' in ldif
assert 'telephoneNumber: 1234567890' not in ldif
log.info("Check that the attribute is present in the exported file in db2")
log.info("Check that the value of attribute is also present in the exported file in db2")
with open(export_db2, 'r') as ldif_file:
ldif = ldif_file.read()
assert 'telephoneNumber' in ldif
assert 'telephoneNumber: 1234567890' in ldif
log.info("Delete test backends")
test_backend1.delete()
test_backend2.delete()