def test_deny_all_access_with__target_set_on_wildcard_non_leaf(
topo, test_uer, aci_of_user
):
"""Search Test 12 Deny all access with != target set on wildcard non-leaf
:id: 02f34640-6e12-11e8-a382-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///ou=Product*,{})(targetattr=\"*\")".format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will limit the search to ou=Product it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will limit the search to ou=Product it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root , aci will give actual no of users , without any limit.
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with__target_set(topo, test_uer, aci_of_user,
request):
"""Search Test 8 Deny all access with != target set
:id: bc00aed0-6e11-11e8-be66-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci", '(target != "ldap:///{}")(targetattr = "*")'
'(version 3.0; acl "{}"; deny absolute (all) (userdn = "ldap:///anyone") ;)'
.format(USER_ANANDA, request.node.name))
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will not block USER_ANANDA will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will not block USER_ANANDA will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with_targetfilter_using_equality_search(
topo, test_uer, aci_of_user):
"""Search Test 14 Deny all access with targetfilter using equality search
:id: 27255e04-6e12-11e8-8e35-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block the search to cn=Jeff
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block the search to cn=Jeff
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
# with root there is no blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
def test_deny_all_access_with_targetfilter_using_substring_search_two(
topo, test_uer, aci_of_user):
"""Test that Search Test 17 Deny all access with targetfilter using != substring search
:id: 55b12d98-6e12-11e8-8cf4-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci allow anything cn=j*, it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci allow anything cn=j*, it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
# with root there is no blockage
assert 2 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
def test_deny_all_access_to_userdnattr(topo, test_uer, aci_of_user):
"""Search Test 7 Deny all access to userdnattr"
:id: ae482494-6e11-11e8-ae33-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
UserAccount(topo.standalone, USER_ANUJ).add('manager', USER_ANANDA)
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdnattr="manager";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block only 'userdnattr="manager"
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block only 'userdnattr="manager"
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))
# with root there is no aci blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))
UserAccount(topo.standalone, USER_ANUJ).remove('manager', USER_ANANDA)
def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
"""Search Test 20 Deny all access with userdn
:id: 75aada86-6e12-11e8-bd34-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///{}";)'.format(USER_ANANDA)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block anything for USER_ANANDA , it not block other users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block anything for USER_ANANDA , it not block other users
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root thers is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_read_search_and_compare_access_with_target_and_targetattr_set(
topo, test_uer, aci_of_user):
"""Search Test 4 Deny read, search and compare access with target and targetattr set
:id: 3f4a87e4-6e11-11e8-a09f-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(
CONTAINER_2_DELADD)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
# with root there is no aci blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
def status(inst, basedn, log, args):
dn = _get_arg( args.dn, msg="Enter dn to check")
accounts = Accounts(inst, basedn)
acct = accounts.get(dn=dn)
acct_str = "locked: %s" % acct.is_locked()
log.info('dn: %s' % dn)
log.info(acct_str)
def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(
topo, test_uer, aci_of_user):
"""Search Test 25 Deny search access to userdn with LDAP URL matching all users
:id: b37f72ae-6e12-11e8-9c98-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format(
DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all users LDAP URL matching all users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block all users LDAP URL matching all users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer,
aci_of_user):
"""Search Test 11 Deny all access with != target set on non-leaf
:id: f1c5d72a-6e11-11e8-aa9d-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///{})(targetattr=*)".format(
CONTAINER_2_DELADD)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# After binding with USER_ANANDA , aci will limit the search to itself
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# After binding with USER_ANUJ , aci will limit the search to itself
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# After binding with root , the actual number of users will be given
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_to_a_target_with_wild_card(topo, test_uer,
aci_of_user):
"""Search Test 2 Deny all access to a target with wild card
:id: 1c370f98-6e11-11e8-9f10-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///uid=Ananda*, ou=*,{})(targetattr=*)".format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block (cn=Sam*) for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block (cn=Sam*) for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
# with root there is no aci blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
def test_entry_with_lots_100_attributes(topo, test_uer, aci_of_user):
"""Search Test 39 entry with lots (>100) attributes
:id: fc155f74-6e12-11e8-96ac-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Bind with test USER_ANUJ
3. Try search
4. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
3. Operation should success
4. Operation should success
5. Operation should success
"""
for i in range(100):
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX,
rdn='ou=People').create_test_user(uid=i)
user.set("userPassword", "password")
conn = UserAccount(
topo.standalone,
"uid=test_user_1,ou=People,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# no aci no blockage
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj*)'))
# no aci no blockage
assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = Anonymous(topo.standalone).bind()
# anonymous_search_on_monitor_entry
assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer,
aci_of_user):
"""Search Test 23 Deny search access to userdn with LDAP URL
:id: 94f082d8-6e12-11e8-be72-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = ('userdn="ldap:///%s";)' %
"{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX))
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445')
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all users having roomnumber=3445
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')
def test_deny_all_access_with__target_set_on_wildcard_leaf(
topo, test_uer, aci_of_user):
"""Search Test 13 Deny all access with != target set on wildcard leaf
:id: 16c54d76-6e12-11e8-b5ba-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=*)".format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will limit the search to cn=Jeff it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will limit the search to cn=Jeff it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_with_target_set(topo, test_uer, aci_of_user):
"""Test that Deny all access with target set
:id: 0550e680-6e0e-11e8-82f4-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(USER_ANANDA)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
# with root there is no aci blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
def reset_password(inst, basedn, log, args):
dn = _get_arg(args.dn, msg="Enter dn to reset password")
new_password = _get_arg(args.new_password, hidden=True, confirm=True,
msg="Enter new password for %s" % dn)
accounts = Accounts(inst, basedn)
acct = accounts.get(dn=dn)
acct.reset_password(new_password)
log.info('reset password for %s' % dn)
def finofaci():
accounts = Accounts(topo.standalone, DEFAULT_SUFFIX)
for i in accounts.filter('(uid=*)'):
UserAccount(topo.standalone, i.dn).delete()
ldif_dir = topo.standalone.get_ldif_dir()
import_ldif = ldif_dir + '/basic_import.ldif'
if os.path.exists(import_ldif):
os.remove(import_ldif)
def test_deny_access_to_group_should_deny_access_to_all_uniquemember(
topo, test_uer, aci_of_user, request):
"""Search Test 38 Deny access to group should deny access to all uniquemember (including chain group)
:id: 56b470e4-7941-11e8-912b-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
grp = UniqueGroup(topo.standalone, 'cn=Nested Group 1,' + DEFAULT_SUFFIX)
grp.create(
properties={
'cn': 'Nested Group 1',
'ou': 'groups',
'uniquemember': "cn=Nested Group 2, {}".format(DEFAULT_SUFFIX)
})
grp = UniqueGroup(topo.standalone, 'cn=Nested Group 2,' + DEFAULT_SUFFIX)
grp.create(
properties={
'cn': 'Nested Group 2',
'ou': 'groups',
'uniquemember': "cn=Nested Group 3, {}".format(DEFAULT_SUFFIX)
})
grp = UniqueGroup(topo.standalone, 'cn=Nested Group 3,' + DEFAULT_SUFFIX)
grp.create(
properties={
'cn': 'Nested Group 3',
'ou': 'groups',
'uniquemember': [USER_ANANDA, USER_ANUJ]
})
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci", '(target = ldap:///{})(targetattr=*)'
'(version 3.0; acl "{}"; deny(read)(groupdn = "ldap:///cn=Nested Group 1, {}"); )'
.format(DEFAULT_SUFFIX, request.node.name, DEFAULT_SUFFIX))
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# deny_access_to_group_should_deny_access_to_all_uniquemember
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# deny_access_to_group_should_deny_access_to_all_uniquemember
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_fast_slow_import(topo, _toggle_private_import_mem, _import_clean):
"""With nsslapd-db-private-import-mem: on is faster import.
:id: 3044331c-9c0e-11ea-ac9f-8c16451d917b
:setup: Standalone Instance
:steps:
1. Let's set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: 0
2. Measure offline import time duration total_time1
3. Now nsslapd-db-private-import-mem:off
4. Measure offline import time duration total_time2
5. total_time1 < total_time2
6. Set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: -1
7. Measure offline import time duration total_time1
8. Now nsslapd-db-private-import-mem:off
9. Measure offline import time duration total_time2
10. total_time1 < total_time2
:expected results:
1. Operation successful
2. Operation successful
3. Operation successful
4. Operation successful
5. Operation successful
6. Operation successful
7. Operation successful
8. Operation successful
9. Operation successful
10. Operation successful
"""
# Let's set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: 0
config = LDBMConfig(topo.standalone)
# Measure offline import time duration total_time1
total_time1 = _import_offline(topo, 20)
# Now nsslapd-db-private-import-mem:off
config.replace('nsslapd-db-private-import-mem', 'off')
accounts = Accounts(topo.standalone, DEFAULT_SUFFIX)
for i in accounts.filter('(uid=*)'):
UserAccount(topo.standalone, i.dn).delete()
# Measure offline import time duration total_time2
total_time2 = _import_offline(topo, 20)
# total_time1 < total_time2
assert total_time1 < total_time2
# Set nsslapd-db-private-import-mem:on, nsslapd-import-cache-autosize: -1
config.replace_many(('nsslapd-db-private-import-mem', 'on'),
('nsslapd-import-cache-autosize', '-1'))
for i in accounts.filter('(uid=*)'):
UserAccount(topo.standalone, i.dn).delete()
# Measure offline import time duration total_time1
total_time1 = _import_offline(topo, 20)
# Now nsslapd-db-private-import-mem:off
config.replace('nsslapd-db-private-import-mem', 'off')
for i in accounts.filter('(uid=*)'):
UserAccount(topo.standalone, i.dn).delete()
# Measure offline import time duration total_time2
total_time2 = _import_offline(topo, 20)
# total_time1 < total_time2
assert total_time1 < total_time2
def change_password(inst, basedn, log, args):
dn = _get_arg(args.dn, msg="Enter dn to change password")
cur_password = _get_arg(args.current_password, hidden=True, confirm=False,
msg="Enter current password for %s" % dn)
new_password = _get_arg(args.new_password, hidden=True, confirm=True,
msg="Enter new password for %s" % dn)
accounts = Accounts(inst, basedn)
acct = accounts.get(dn=dn)
acct.change_password(cur_password, new_password)
log.info('changed password for %s' % dn)
def test_usandsconf_dbgen_users(topology_st, set_log_file_and_ldif):
"""Test ldifgen (formerly dbgen) tool to create ldif with users
:id: 426b5b94-9923-454d-a736-7e71ca985e91
:setup: Standalone instance
:steps:
1. Create DS instance
2. Run ldifgen to generate ldif with users
3. Import generated ldif to database
4. Check it was properly imported
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
standalone = topology_st.standalone
args = FakeArgs()
args.suffix = DEFAULT_SUFFIX
args.parent = 'ou=people,dc=example,dc=com'
args.number = "1000"
args.rdn_cn = False
args.generic = True
args.start_idx = "50"
args.localize = False
args.ldif_file = ldif_file
content_list = [
'Generating LDIF with the following options:',
'suffix={}'.format(args.suffix), 'parent={}'.format(args.parent),
'number={}'.format(args.number), 'rdn-cn={}'.format(args.rdn_cn),
'generic={}'.format(args.generic), 'start-idx={}'.format(
args.start_idx), 'localize={}'.format(args.localize),
'ldif-file={}'.format(args.ldif_file), 'Writing LDIF',
'Successfully created LDIF file: {}'.format(args.ldif_file)
]
log.info('Run ldifgen to create users ldif')
dbgen_create_users(standalone, log, args)
log.info('Check if file exists')
assert os.path.exists(ldif_file)
check_value_in_log_and_reset(content_list)
log.info('Get number of accounts before import')
accounts = Accounts(standalone, DEFAULT_SUFFIX)
count_account = len(accounts.filter('(uid=*)'))
run_offline_import(standalone, ldif_file)
log.info('Check that accounts are imported')
assert len(accounts.filter('(uid=*)')) > count_account
def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user):
"""Search Test 6 Deny read access to multiple groupdn's
:id: 8f3ba440-6e11-11e8-8b20-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add_member(USER_ANANDA)
posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX)
posix_group = posix_groups.create(properties={
"cn": "group2",
"description": "testgroup2",
"gidNumber": "2000",
})
posix_group.add_member(USER_ANUJ)
ACI_TARGET = '(targetattr="*")'
ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format(
DEFAULT_SUFFIX)
ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group = groups.get("group1")
group.delete()
posix_groups.get("group2")
posix_group.delete()
def test_healthcheck_notes_unknown_attribute(topology_st, setup_ldif):
"""Check if HealthCheck returns DSLOGNOTES0002 code
:id: 71ccd1d7-3c71-416b-9d2a-27f9f6633101
:setup: Standalone instance
:steps:
1. Create DS instance
2. Set nsslapd-accesslog-logbuffering to off
3. Import users from created ldif file
4. Use HealthCheck without --json option
5. Use HealthCheck with --json option
:expectedresults:
1. Success
2. Success
3. Success
4. Healthcheck reports DSLOGNOTES0002
5. Healthcheck reports DSLOGNOTES0002
"""
RET_CODE = 'DSLOGNOTES0002'
standalone = topology_st.standalone
log.info('Delete the previous access logs')
topology_st.standalone.deleteAccessLogs()
log.info('Set nsslapd-accesslog-logbuffering to off')
standalone.config.set("nsslapd-accesslog-logbuffering", "off")
log.info('Stopping the server and running offline import...')
standalone.stop()
assert standalone.ldif2db(bename=DEFAULT_BENAME,
suffixes=[DEFAULT_SUFFIX],
encrypt=None,
excludeSuffixes=None,
import_file=import_ldif)
standalone.start()
log.info('Use filters to reproduce "notes=F" in access log')
accounts = Accounts(standalone, DEFAULT_SUFFIX)
accounts.filter('(unknown=test)')
log.info('Check that access log contains "notes=F"')
assert standalone.ds_access_log.match(r'.*notes=F.*')
run_healthcheck_and_flush_log(topology_st,
standalone,
RET_CODE,
json=False)
run_healthcheck_and_flush_log(topology_st, standalone, RET_CODE, json=True)
def test_all_together_positive(topo, _create_test_entries, filter_test, condition, filter_out):
"""Test filter with positive results.
:id: 51924a38-9baa-11e8-b22a-8c16451d917b
:parametrized: yes
:setup: Standalone Server
:steps:
1. Create Filter rules.
2. Try to pass filter rules as per the condition .
:expected results:
1. It should pass
2. It should pass
"""
account = Accounts(topo.standalone, DEFAULT_SUFFIX)
assert account.filter(filter_test)[0].get_attrs_vals_utf8(condition)[filter_out]
def test_entry_with_escaped_characters_fails_to_import_and_index(
topo, _import_clean):
"""If missing entry_id is found, skip it and continue reading the primary db to be re indexed.
:id: 358c938c-9c0e-11ea-adbc-8c16451d917b
:setup: Standalone Instance
:steps:
1. Import the example data from ldif.
2. Remove some of the other entries that were successfully imported.
3. Now re-index the database.
4. Should not return error.
:expected results:
1. Operation successful
2. Operation successful
3. Operation successful
4. Operation successful
"""
# Import the example data from ldif
_import_offline(topo, 10)
count = 0
# Remove some of the other entries that were successfully imported
for user1 in [
user for user in Accounts(topo.standalone, DEFAULT_SUFFIX).list()
if user.dn.startswith('uid')
]:
if count <= 2:
UserAccount(topo.standalone, user1.dn).delete()
count += 1
# Now re-index the database
topo.standalone.stop()
topo.standalone.db2index()
topo.standalone.start()
# Should not return error.
assert not topo.standalone.searchErrorsLog('error')
assert not topo.standalone.searchErrorsLog('foreman fifo error')
def subtree_status(inst, basedn, log, args):
basedn = _get_dn_arg(args.basedn, msg="Enter basedn to check")
filter = ""
scope = ldap.SCOPE_SUBTREE
epoch_inactive_time = None
if args.scope == "one":
scope = ldap.SCOPE_ONELEVEL
if args.filter:
filter = args.filter
if args.become_inactive_on:
datetime_inactive_time = datetime.strptime(args.become_inactive_on,
'%Y-%m-%dT%H:%M:%S')
epoch_inactive_time = datetime.timestamp(datetime_inactive_time)
account_list = Accounts(inst, basedn).filter(filter, scope)
if not account_list:
raise ValueError(f"No entries were found under {basedn}")
for entry in account_list:
status = entry.status()
state = status["state"]
params = status["params"]
if args.inactive_only and state == AccountState.ACTIVATED:
continue
if args.become_inactive_on:
if epoch_inactive_time is None or params["Time Until Inactive"] is None or \
epoch_inactive_time <= (params["Time Until Inactive"] + status["calc_time"]):
continue
_print_entry_status(status, entry.dn, log)
def test_search_attr(topo):
"""Test filter can search attributes
:id: 9a1b0a4b-111c-4105-866d-4288f143ee07
:setup: Standalone instance
:steps:
1. Add test entry
2. make search
:expectedresults:
1. Entry should be added
2. Operation should succeed
"""
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in range(1, 5):
user1 = user.create_test_user(uid=i)
user1.set("mail", "AnujBorah{}@ok.com".format(i))
# Testing filter is working for any king of attr
user = Accounts(topo.standalone, DEFAULT_SUFFIX)
assert len(user.filter('(mail=*)')) == 4
assert len(user.filter('(uid=*)')) == 4
# Testing filter is working for other filters
assert len(user.filter("(objectclass=inetOrgPerson)")) == 4
def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user):
"""Search Test 10 Deny all access with targetattr set
:id: e1602ff2-6e11-11e8-8e55-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
testuser = UserAccount(topo.standalone,
"cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX))
testuser.create(
properties={
'uid': 'Anuj12',
'cn': 'Anuj12',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Anuj12'
})
ACI_TARGET = '(targetattr="uid")'
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
# with root there is no aci blockage
assert 4 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
testuser.delete()
def test_large_filter(topo, _create_entries, real_value):
"""Exercise large eq filter with dn syntax attributes
:id: abe3e6de-9ecc-11e8-adf0-8c16451d917b
:parametrized: yes
:setup: Standalone
:steps:
1. Try to pass filter rules as per the condition.
2. Bind with any user.
3. Try to pass filter rules with new binding.
:expected results:
1. Pass
2. Pass
3. Pass
"""
assert len(Accounts(topo.standalone, SUFFIX).filter(real_value)) == 3
conn = UserAccount(topo.standalone, f'uid=drose,{SUFFIX}').bind(PW_DM)
assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url(
topo, test_uer, aci_of_user):
"""Search Test 27 Deny read access to dynamic group with host:port set on LDAP URL
:id: ceb62158-6e12-11e8-8c36-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add('objectClass', 'groupOfURLS')
group.set(
'memberURL',
"ldap:///localhost:38901/{}??sub?(&(ou=Accounting)(cn=Sam*))".format(
DEFAULT_SUFFIX))
group.add_member(USER_ANANDA)
ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown"
ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(
DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()
