def test_ri_and_mep_cache_corruption(topology_st): """Test RI plugin aborts change after MEP plugin fails. This is really testing the entry cache for corruption :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5995 :setup: Standalone instance :steps: 1. Enable and configure mep and ri plugins 2. Add user and add it to a group 3. Disable MEP plugin and remove MEP group 4. Delete user 5. Check that user is still a member of the group :expectedresults: 1. Success 2. Success 3. Success 4. It fails with NO_SUCH_OBJECT 5. Success """ # Start plugins topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on') mep_plugin = ManagedEntriesPlugin(topology_st.standalone) mep_plugin.enable() ri_plugin = ReferentialIntegrityPlugin(topology_st.standalone) ri_plugin.enable() # Add our org units ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX) ou_people = ous.create(properties={'ou': 'managed_people'}) ou_groups = ous.create(properties={'ou': 'managed_groups'}) # Configure MEP mep_templates = MEPTemplates(topology_st.standalone, DEFAULT_SUFFIX) mep_template1 = mep_templates.create( properties={ 'cn': 'MEP template', 'mepRDNAttr': 'cn', 'mepStaticAttr': 'objectclass: posixGroup|objectclass: extensibleObject'.split('|'), 'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|') }) mep_configs = MEPConfigs(topology_st.standalone) mep_configs.create( properties={ 'cn': 'config', 'originScope': ou_people.dn, 'originFilter': 'objectclass=posixAccount', 'managedBase': ou_groups.dn, 'managedTemplate': mep_template1.dn }) # Add an entry that meets the MEP scope users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX, rdn='ou={}'.format(ou_people.rdn)) user = users.create( properties={ 'uid': 'test-user1', 'cn': 'test-user', 'sn': 'test-user', 'uidNumber': '10011', 'gidNumber': '20011', 'homeDirectory': '/home/test-user1' }) # Add group groups = Groups(topology_st.standalone, DEFAULT_SUFFIX) user_group = groups.ensure_state(properties={ 'cn': 'group', 'member': user.dn }) # Check if a managed group entry was created mep_group = Group(topology_st.standalone, dn='cn={},{}'.format(user.rdn, ou_groups.dn)) if not mep_group.exists(): log.fatal("MEP group was not created for the user") assert False # Test MEP be txn pre op failure does not corrupt entry cache # Should get the same exception for both rename attempts with pytest.raises(ldap.UNWILLING_TO_PERFORM): mep_group.rename("cn=modrdn group") with pytest.raises(ldap.UNWILLING_TO_PERFORM): mep_group.rename("cn=modrdn group") # Mess with MEP so it fails mep_plugin.disable() mep_group.delete() mep_plugin.enable() # Add another group to verify entry cache is not corrupted test_group = groups.create(properties={'cn': 'test_group'}) # Delete user, should fail in MEP be txn post op, and user should still be a member with pytest.raises(ldap.NO_SUCH_OBJECT): user.delete() # Verify membership is intact if not user_group.is_member(user.dn): log.fatal( "Member was incorrectly removed from the group!! Or so it seems") # Restart server and test again in case this was a cache issue topology_st.standalone.restart() if user_group.is_member(user.dn): log.info("The entry cache was corrupted") assert False assert False # Verify test group is still found in entry cache by deleting it test_group.delete() # Success log.info("Test PASSED")
def test_ri_and_mep_cache_corruption(topology_st): """Test RI plugin aborts change after MEP plugin fails. This is really testing the entry cache for corruption :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5995 :setup: Standalone instance :steps: 1. Enable and configure mep and ri plugins 2. Add user and add it to a group 3. Disable MEP plugin and remove MEP group 4. Delete user 5. Check that user is still a member of the group :expectedresults: 1. Success 2. Success 3. Success 4. It fails with NO_SUCH_OBJECT 5. Success """ # Add ACI so we can test that non-DM user can't delete managed entry domain = Domain(topology_st.standalone, DEFAULT_SUFFIX) ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")" ACI_TARGETATTR = "(targetattr = *)" ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) " ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)" ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT domain.add('aci', ACI_BODY) # Start plugins topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on') mep_plugin = ManagedEntriesPlugin(topology_st.standalone) mep_plugin.enable() ri_plugin = ReferentialIntegrityPlugin(topology_st.standalone) ri_plugin.enable() # Add our org units ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX) ou_people = ous.create(properties={'ou': 'managed_people'}) ou_groups = ous.create(properties={'ou': 'managed_groups'}) # Configure MEP mep_templates = MEPTemplates(topology_st.standalone, DEFAULT_SUFFIX) mep_template1 = mep_templates.create(properties={ 'cn': 'MEP template', 'mepRDNAttr': 'cn', 'mepStaticAttr': 'objectclass: groupOfNames|objectclass: extensibleObject'.split('|'), 'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|') }) mep_configs = MEPConfigs(topology_st.standalone) mep_configs.create(properties={'cn': 'config', 'originScope': ou_people.dn, 'originFilter': 'objectclass=posixAccount', 'managedBase': ou_groups.dn, 'managedTemplate': mep_template1.dn}) # Add an entry that meets the MEP scope users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX, rdn='ou={}'.format(ou_people.rdn)) user = users.create(properties={ 'uid': 'test-user1', 'cn': 'test-user', 'sn': 'test-user', 'uidNumber': '10011', 'gidNumber': '20011', 'homeDirectory': '/home/test-user1' }) user.reset_password(USER_PASSWORD) user_bound_conn = user.bind(USER_PASSWORD) # Add group groups = Groups(topology_st.standalone, DEFAULT_SUFFIX) user_group = groups.ensure_state(properties={'cn': 'group', 'member': user.dn}) # Check if a managed group entry was created mep_group = Group(topology_st.standalone, dn='cn={},{}'.format(user.rdn, ou_groups.dn)) if not mep_group.exists(): log.fatal("MEP group was not created for the user") assert False # Test MEP be txn pre op failure does not corrupt entry cache # Should get the same exception for both rename attempts # Try to remove the entry while bound as Admin (non-DM) managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None) managed_entry_user_conn = managed_groups_user_conn.get(user.rdn) with pytest.raises(ldap.UNWILLING_TO_PERFORM): managed_entry_user_conn.rename("cn=modrdn group") with pytest.raises(ldap.UNWILLING_TO_PERFORM): managed_entry_user_conn.rename("cn=modrdn group") # Mess with MEP so it fails mep_plugin.disable() users_mep_group = UserAccounts(topology_st.standalone, mep_group.dn, rdn=None) users_mep_group.create_test_user(1001) mep_plugin.enable() # Add another group to verify entry cache is not corrupted test_group = groups.create(properties={'cn': 'test_group'}) # Try to delete user - it fails because managed entry can't be deleted with pytest.raises(ldap.NOT_ALLOWED_ON_NONLEAF): user.delete() # Verify membership is intact if not user_group.is_member(user.dn): log.fatal("Member was incorrectly removed from the group!! Or so it seems") # Restart server and test again in case this was a cache issue topology_st.standalone.restart() if user_group.is_member(user.dn): log.info("The entry cache was corrupted") assert False assert False # Verify test group is still found in entry cache by deleting it test_group.delete() # Success log.info("Test PASSED")