def test_deny_all_access_with__target_set_on_wildcard_non_leaf( topo, test_uer, aci_of_user ): """Search Test 12 Deny all access with != target set on wildcard non-leaf :id: 02f34640-6e12-11e8-a382-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target != ldap:///ou=Product*,{})(targetattr=\"*\")".format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will limit the search to ou=Product it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will limit the search to ou=Product it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root , aci will give actual no of users , without any limit. assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with__target_set(topo, test_uer, aci_of_user, request): """Search Test 8 Deny all access with != target set :id: bc00aed0-6e11-11e8-be66-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ Domain(topo.standalone, DEFAULT_SUFFIX).add( "aci", '(target != "ldap:///{}")(targetattr = "*")' '(version 3.0; acl "{}"; deny absolute (all) (userdn = "ldap:///anyone") ;)' .format(USER_ANANDA, request.node.name)) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will not block USER_ANANDA will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will not block USER_ANANDA will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with_targetfilter_using_equality_search( topo, test_uer, aci_of_user): """Search Test 14 Deny all access with targetfilter using equality search :id: 27255e04-6e12-11e8-8e35-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block the search to cn=Jeff assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block the search to cn=Jeff assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)')) # with root there is no blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
def test_deny_all_access_with_targetfilter_using_substring_search_two( topo, test_uer, aci_of_user): """Test that Search Test 17 Deny all access with targetfilter using != substring search :id: 55b12d98-6e12-11e8-8cf4-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci allow anything cn=j*, it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci allow anything cn=j*, it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) # with root there is no blockage assert 2 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
def test_deny_all_access_to_userdnattr(topo, test_uer, aci_of_user): """Search Test 7 Deny all access to userdnattr" :id: ae482494-6e11-11e8-ae33-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ UserAccount(topo.standalone, USER_ANUJ).add('manager', USER_ANANDA) ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdnattr="manager";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block only 'userdnattr="manager" assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block only 'userdnattr="manager" assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)')) # with root there is no aci blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)')) UserAccount(topo.standalone, USER_ANUJ).remove('manager', USER_ANANDA)
def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user): """Search Test 20 Deny all access with userdn :id: 75aada86-6e12-11e8-bd34-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///{}";)'.format(USER_ANANDA) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block anything for USER_ANANDA , it not block other users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block anything for USER_ANANDA , it not block other users assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root thers is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_read_search_and_compare_access_with_target_and_targetattr_set( topo, test_uer, aci_of_user): """Search Test 4 Deny read, search and compare access with target and targetattr set :id: 3f4a87e4-6e11-11e8-a09f-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format( CONTAINER_2_DELADD) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)')) # with root there is no aci blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
def status(inst, basedn, log, args): dn = _get_arg( args.dn, msg="Enter dn to check") accounts = Accounts(inst, basedn) acct = accounts.get(dn=dn) acct_str = "locked: %s" % acct.is_locked() log.info('dn: %s' % dn) log.info(acct_str)
def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users( topo, test_uer, aci_of_user): """Search Test 25 Deny search access to userdn with LDAP URL matching all users :id: b37f72ae-6e12-11e8-9c98-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)' ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all users LDAP URL matching all users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block all users LDAP URL matching all users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer, aci_of_user): """Search Test 11 Deny all access with != target set on non-leaf :id: f1c5d72a-6e11-11e8-aa9d-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target != ldap:///{})(targetattr=*)".format( CONTAINER_2_DELADD) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # After binding with USER_ANANDA , aci will limit the search to itself assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # After binding with USER_ANUJ , aci will limit the search to itself assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # After binding with root , the actual number of users will be given assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_to_a_target_with_wild_card(topo, test_uer, aci_of_user): """Search Test 2 Deny all access to a target with wild card :id: 1c370f98-6e11-11e8-9f10-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///uid=Ananda*, ou=*,{})(targetattr=*)".format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block (cn=Sam*) for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block (cn=Sam*) for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)')) # with root there is no aci blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
def test_entry_with_lots_100_attributes(topo, test_uer, aci_of_user): """Search Test 39 entry with lots (>100) attributes :id: fc155f74-6e12-11e8-96ac-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Bind with test USER_ANUJ 3. Try search 4. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 3. Operation should success 4. Operation should success 5. Operation should success """ for i in range(100): user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=People').create_test_user(uid=i) user.set("userPassword", "password") conn = UserAccount( topo.standalone, "uid=test_user_1,ou=People,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # no aci no blockage assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj*)')) # no aci no blockage assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) conn = Anonymous(topo.standalone).bind() # anonymous_search_on_monitor_entry assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user): """Search Test 23 Deny search access to userdn with LDAP URL :id: 94f082d8-6e12-11e8-be72-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)' ACI_SUBJECT = ('userdn="ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445') conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all users having roomnumber=3445 assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')
def test_deny_all_access_with__target_set_on_wildcard_leaf( topo, test_uer, aci_of_user): """Search Test 13 Deny all access with != target set on wildcard leaf :id: 16c54d76-6e12-11e8-b5ba-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=*)".format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will limit the search to cn=Jeff it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will limit the search to cn=Jeff it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with_target_set(topo, test_uer, aci_of_user): """Test that Deny all access with target set :id: 0550e680-6e0e-11e8-82f4-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(USER_ANANDA) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)')) # with root there is no aci blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
def reset_password(inst, basedn, log, args): dn = _get_arg(args.dn, msg="Enter dn to reset password") new_password = _get_arg(args.new_password, hidden=True, confirm=True, msg="Enter new password for %s" % dn) accounts = Accounts(inst, basedn) acct = accounts.get(dn=dn) acct.reset_password(new_password) log.info('reset password for %s' % dn)
def finofaci(): accounts = Accounts(topo.standalone, DEFAULT_SUFFIX) for i in accounts.filter('(uid=*)'): UserAccount(topo.standalone, i.dn).delete() ldif_dir = topo.standalone.get_ldif_dir() import_ldif = ldif_dir + '/basic_import.ldif' if os.path.exists(import_ldif): os.remove(import_ldif)
def test_deny_access_to_group_should_deny_access_to_all_uniquemember( topo, test_uer, aci_of_user, request): """Search Test 38 Deny access to group should deny access to all uniquemember (including chain group) :id: 56b470e4-7941-11e8-912b-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ grp = UniqueGroup(topo.standalone, 'cn=Nested Group 1,' + DEFAULT_SUFFIX) grp.create( properties={ 'cn': 'Nested Group 1', 'ou': 'groups', 'uniquemember': "cn=Nested Group 2, {}".format(DEFAULT_SUFFIX) }) grp = UniqueGroup(topo.standalone, 'cn=Nested Group 2,' + DEFAULT_SUFFIX) grp.create( properties={ 'cn': 'Nested Group 2', 'ou': 'groups', 'uniquemember': "cn=Nested Group 3, {}".format(DEFAULT_SUFFIX) }) grp = UniqueGroup(topo.standalone, 'cn=Nested Group 3,' + DEFAULT_SUFFIX) grp.create( properties={ 'cn': 'Nested Group 3', 'ou': 'groups', 'uniquemember': [USER_ANANDA, USER_ANUJ] }) Domain(topo.standalone, DEFAULT_SUFFIX).add( "aci", '(target = ldap:///{})(targetattr=*)' '(version 3.0; acl "{}"; deny(read)(groupdn = "ldap:///cn=Nested Group 1, {}"); )' .format(DEFAULT_SUFFIX, request.node.name, DEFAULT_SUFFIX)) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # deny_access_to_group_should_deny_access_to_all_uniquemember assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # deny_access_to_group_should_deny_access_to_all_uniquemember assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_fast_slow_import(topo, _toggle_private_import_mem, _import_clean): """With nsslapd-db-private-import-mem: on is faster import. :id: 3044331c-9c0e-11ea-ac9f-8c16451d917b :setup: Standalone Instance :steps: 1. Let's set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: 0 2. Measure offline import time duration total_time1 3. Now nsslapd-db-private-import-mem:off 4. Measure offline import time duration total_time2 5. total_time1 < total_time2 6. Set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: -1 7. Measure offline import time duration total_time1 8. Now nsslapd-db-private-import-mem:off 9. Measure offline import time duration total_time2 10. total_time1 < total_time2 :expected results: 1. Operation successful 2. Operation successful 3. Operation successful 4. Operation successful 5. Operation successful 6. Operation successful 7. Operation successful 8. Operation successful 9. Operation successful 10. Operation successful """ # Let's set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: 0 config = LDBMConfig(topo.standalone) # Measure offline import time duration total_time1 total_time1 = _import_offline(topo, 20) # Now nsslapd-db-private-import-mem:off config.replace('nsslapd-db-private-import-mem', 'off') accounts = Accounts(topo.standalone, DEFAULT_SUFFIX) for i in accounts.filter('(uid=*)'): UserAccount(topo.standalone, i.dn).delete() # Measure offline import time duration total_time2 total_time2 = _import_offline(topo, 20) # total_time1 < total_time2 assert total_time1 < total_time2 # Set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: -1 config.replace_many(('nsslapd-db-private-import-mem', 'on'), ('nsslapd-import-cache-autosize', '-1')) for i in accounts.filter('(uid=*)'): UserAccount(topo.standalone, i.dn).delete() # Measure offline import time duration total_time1 total_time1 = _import_offline(topo, 20) # Now nsslapd-db-private-import-mem:off config.replace('nsslapd-db-private-import-mem', 'off') for i in accounts.filter('(uid=*)'): UserAccount(topo.standalone, i.dn).delete() # Measure offline import time duration total_time2 total_time2 = _import_offline(topo, 20) # total_time1 < total_time2 assert total_time1 < total_time2
def change_password(inst, basedn, log, args): dn = _get_arg(args.dn, msg="Enter dn to change password") cur_password = _get_arg(args.current_password, hidden=True, confirm=False, msg="Enter current password for %s" % dn) new_password = _get_arg(args.new_password, hidden=True, confirm=True, msg="Enter new password for %s" % dn) accounts = Accounts(inst, basedn) acct = accounts.get(dn=dn) acct.change_password(cur_password, new_password) log.info('changed password for %s' % dn)
def test_usandsconf_dbgen_users(topology_st, set_log_file_and_ldif): """Test ldifgen (formerly dbgen) tool to create ldif with users :id: 426b5b94-9923-454d-a736-7e71ca985e91 :setup: Standalone instance :steps: 1. Create DS instance 2. Run ldifgen to generate ldif with users 3. Import generated ldif to database 4. Check it was properly imported :expectedresults: 1. Success 2. Success 3. Success 4. Success """ standalone = topology_st.standalone args = FakeArgs() args.suffix = DEFAULT_SUFFIX args.parent = 'ou=people,dc=example,dc=com' args.number = "1000" args.rdn_cn = False args.generic = True args.start_idx = "50" args.localize = False args.ldif_file = ldif_file content_list = [ 'Generating LDIF with the following options:', 'suffix={}'.format(args.suffix), 'parent={}'.format(args.parent), 'number={}'.format(args.number), 'rdn-cn={}'.format(args.rdn_cn), 'generic={}'.format(args.generic), 'start-idx={}'.format( args.start_idx), 'localize={}'.format(args.localize), 'ldif-file={}'.format(args.ldif_file), 'Writing LDIF', 'Successfully created LDIF file: {}'.format(args.ldif_file) ] log.info('Run ldifgen to create users ldif') dbgen_create_users(standalone, log, args) log.info('Check if file exists') assert os.path.exists(ldif_file) check_value_in_log_and_reset(content_list) log.info('Get number of accounts before import') accounts = Accounts(standalone, DEFAULT_SUFFIX) count_account = len(accounts.filter('(uid=*)')) run_offline_import(standalone, ldif_file) log.info('Check that accounts are imported') assert len(accounts.filter('(uid=*)')) > count_account
def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user): """Search Test 6 Deny read access to multiple groupdn's :id: 8f3ba440-6e11-11e8-8b20-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add_member(USER_ANANDA) posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX) posix_group = posix_groups.create(properties={ "cn": "group2", "description": "testgroup2", "gidNumber": "2000", }) posix_group.add_member(USER_ANUJ) ACI_TARGET = '(targetattr="*")' ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format( DEFAULT_SUFFIX) ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format( DEFAULT_SUFFIX, DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)')) group = groups.get("group1") group.delete() posix_groups.get("group2") posix_group.delete()
def test_healthcheck_notes_unknown_attribute(topology_st, setup_ldif): """Check if HealthCheck returns DSLOGNOTES0002 code :id: 71ccd1d7-3c71-416b-9d2a-27f9f6633101 :setup: Standalone instance :steps: 1. Create DS instance 2. Set nsslapd-accesslog-logbuffering to off 3. Import users from created ldif file 4. Use HealthCheck without --json option 5. Use HealthCheck with --json option :expectedresults: 1. Success 2. Success 3. Success 4. Healthcheck reports DSLOGNOTES0002 5. Healthcheck reports DSLOGNOTES0002 """ RET_CODE = 'DSLOGNOTES0002' standalone = topology_st.standalone log.info('Delete the previous access logs') topology_st.standalone.deleteAccessLogs() log.info('Set nsslapd-accesslog-logbuffering to off') standalone.config.set("nsslapd-accesslog-logbuffering", "off") log.info('Stopping the server and running offline import...') standalone.stop() assert standalone.ldif2db(bename=DEFAULT_BENAME, suffixes=[DEFAULT_SUFFIX], encrypt=None, excludeSuffixes=None, import_file=import_ldif) standalone.start() log.info('Use filters to reproduce "notes=F" in access log') accounts = Accounts(standalone, DEFAULT_SUFFIX) accounts.filter('(unknown=test)') log.info('Check that access log contains "notes=F"') assert standalone.ds_access_log.match(r'.*notes=F.*') run_healthcheck_and_flush_log(topology_st, standalone, RET_CODE, json=False) run_healthcheck_and_flush_log(topology_st, standalone, RET_CODE, json=True)
def test_all_together_positive(topo, _create_test_entries, filter_test, condition, filter_out): """Test filter with positive results. :id: 51924a38-9baa-11e8-b22a-8c16451d917b :parametrized: yes :setup: Standalone Server :steps: 1. Create Filter rules. 2. Try to pass filter rules as per the condition . :expected results: 1. It should pass 2. It should pass """ account = Accounts(topo.standalone, DEFAULT_SUFFIX) assert account.filter(filter_test)[0].get_attrs_vals_utf8(condition)[filter_out]
def test_entry_with_escaped_characters_fails_to_import_and_index( topo, _import_clean): """If missing entry_id is found, skip it and continue reading the primary db to be re indexed. :id: 358c938c-9c0e-11ea-adbc-8c16451d917b :setup: Standalone Instance :steps: 1. Import the example data from ldif. 2. Remove some of the other entries that were successfully imported. 3. Now re-index the database. 4. Should not return error. :expected results: 1. Operation successful 2. Operation successful 3. Operation successful 4. Operation successful """ # Import the example data from ldif _import_offline(topo, 10) count = 0 # Remove some of the other entries that were successfully imported for user1 in [ user for user in Accounts(topo.standalone, DEFAULT_SUFFIX).list() if user.dn.startswith('uid') ]: if count <= 2: UserAccount(topo.standalone, user1.dn).delete() count += 1 # Now re-index the database topo.standalone.stop() topo.standalone.db2index() topo.standalone.start() # Should not return error. assert not topo.standalone.searchErrorsLog('error') assert not topo.standalone.searchErrorsLog('foreman fifo error')
def subtree_status(inst, basedn, log, args): basedn = _get_dn_arg(args.basedn, msg="Enter basedn to check") filter = "" scope = ldap.SCOPE_SUBTREE epoch_inactive_time = None if args.scope == "one": scope = ldap.SCOPE_ONELEVEL if args.filter: filter = args.filter if args.become_inactive_on: datetime_inactive_time = datetime.strptime(args.become_inactive_on, '%Y-%m-%dT%H:%M:%S') epoch_inactive_time = datetime.timestamp(datetime_inactive_time) account_list = Accounts(inst, basedn).filter(filter, scope) if not account_list: raise ValueError(f"No entries were found under {basedn}") for entry in account_list: status = entry.status() state = status["state"] params = status["params"] if args.inactive_only and state == AccountState.ACTIVATED: continue if args.become_inactive_on: if epoch_inactive_time is None or params["Time Until Inactive"] is None or \ epoch_inactive_time <= (params["Time Until Inactive"] + status["calc_time"]): continue _print_entry_status(status, entry.dn, log)
def test_search_attr(topo): """Test filter can search attributes :id: 9a1b0a4b-111c-4105-866d-4288f143ee07 :setup: Standalone instance :steps: 1. Add test entry 2. make search :expectedresults: 1. Entry should be added 2. Operation should succeed """ user = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for i in range(1, 5): user1 = user.create_test_user(uid=i) user1.set("mail", "AnujBorah{}@ok.com".format(i)) # Testing filter is working for any king of attr user = Accounts(topo.standalone, DEFAULT_SUFFIX) assert len(user.filter('(mail=*)')) == 4 assert len(user.filter('(uid=*)')) == 4 # Testing filter is working for other filters assert len(user.filter("(objectclass=inetOrgPerson)")) == 4
def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user): """Search Test 10 Deny all access with targetattr set :id: e1602ff2-6e11-11e8-8e55-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ testuser = UserAccount(topo.standalone, "cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX)) testuser.create( properties={ 'uid': 'Anuj12', 'cn': 'Anuj12', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Anuj12' }) ACI_TARGET = '(targetattr="uid")' ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block only uid=* assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block only uid=* assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) # with root there is no aci blockage assert 4 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)')) testuser.delete()
def test_large_filter(topo, _create_entries, real_value): """Exercise large eq filter with dn syntax attributes :id: abe3e6de-9ecc-11e8-adf0-8c16451d917b :parametrized: yes :setup: Standalone :steps: 1. Try to pass filter rules as per the condition. 2. Bind with any user. 3. Try to pass filter rules with new binding. :expected results: 1. Pass 2. Pass 3. Pass """ assert len(Accounts(topo.standalone, SUFFIX).filter(real_value)) == 3 conn = UserAccount(topo.standalone, f'uid=drose,{SUFFIX}').bind(PW_DM) assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url( topo, test_uer, aci_of_user): """Search Test 27 Deny read access to dynamic group with host:port set on LDAP URL :id: ceb62158-6e12-11e8-8c36-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add('objectClass', 'groupOfURLS') group.set( 'memberURL', "ldap:///localhost:38901/{}??sub?(&(ou=Accounting)(cn=Sam*))".format( DEFAULT_SUFFIX)) group.add_member(USER_ANANDA) ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown" ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))" assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)')) group.delete()