def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user):
"""
User can access the data only in the afternoon as per the ACI.
:id: 63eb5b1c-7ac5-11e8-bd46-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
f'and timeofday > \'1200\' ;)')
# create a new connection for the test
conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
if datetime.now().hour < 12:
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
else:
org.replace("seeAlso", "cn=1")
def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
"""Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
:id: 41b467be-7ac5-11e8-89a3-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" and '
f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DNS_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_if_not_from_a_certain_domain(
topo, add_user, aci_of_user):
"""User cannot access the data if not from a certain domain as per the ACI.
:id: 3d658972-7ac5-11e8-930f-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" '
f'and dns = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_authenticated_but_has_no_rigth_on_the_data(topo, add_user,
aci_of_user):
"""User has a password. He is authenticated but has no rigth on the data.
:id: 11be7ebe-7ac5-11e8-b754-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
_add_aci(topo, NONE_ACI_KEY)
# Create a new connection for this test.
conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_binds_without_any_password_and_cannot_access_the_data(
topo, add_user, aci_of_user):
"""User binds without any password and cannot access the data
:id: 205777fa-7ac5-11e8-ba2f-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
_add_aci(topo, SIMPLE_ACI_KEY)
# Create a new connection for this test.
conn = Anonymous(topo.standalone).bind()
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
"""
User cannot access the data at all as per the ACI.
:id: 75cdac5e-7ac5-11e8-968a-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = "$NEW_DATE" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user):
"""
User can access the data EVERYDAY_KEY as per the ACI.
:id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
"""
User can access the data one day per week as per the ACI.
:id: 7131dc88-7ac5-11e8-acc2-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
today_1 = time.strftime("%c").split()[0]
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = \'{today_1}\' ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
"""
User can access the data at any time as per the ACI.
:id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
f'(timeofday >= "0000" and timeofday <= "2359") ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
"""
User NoIP cannot assess the data as per the ACI.
:id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_only_in_the_morning(topo, add_user,
aci_of_user):
"""
User can access the data only in the morning as per the ACI.
:id:5f7d380c-7ac5-11e8-8124-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '
f'and timeofday < "1200" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, DAYWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
if datetime.now().hour >= 12:
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
else:
org.replace("seeAlso", "cn=1")
def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
"""
User can access the data when connecting from certain network only as per the ACI.
:id: 4ec38296-7ac5-11e8-9816-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Turn access log buffering off to make less time consuming
topo.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')
# Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
# Wait till Access Log is generated
topo.standalone.restart()
hostname = socket.gethostname()
IP = socket.gethostbyname(hostname)
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)'
)
# create a new connection for the test
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
org.replace("seeAlso", "cn=1")
# remove the aci
domain.ensure_removed(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci '
f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
f'(ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)')
# Now add aci with new ip
domain.add(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)'
)
# After changing the ip user cant access data
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_entryusn_after_repl_delete(topology_m2):
"""Verify that entryUSN is incremented on 1 after delete operation which creates a tombstone
:id: 1704cf65-41bc-4347-bdaf-20fc2431b218
:setup: An instance with replication, Users, USN enabled
:steps:
1. Try to delete a user
2. Check the tombstone has the incremented USN
3. Try to delete ou=People with users
4. Check the entry has a not incremented entryUSN
:expectedresults:
1. Success
2. Success
3. Should fail with Not Allowed On Non-leaf error
4. Success
"""
inst = topology_m2.ms["supplier1"]
plugin = USNPlugin(inst)
plugin.enable()
inst.restart()
users = UserAccounts(inst, DEFAULT_SUFFIX)
try:
user_1 = users.create_test_user()
user_rdn = user_1.rdn
tombstones = Tombstones(inst, DEFAULT_SUFFIX)
user_1.replace('description', 'update_ts')
user_usn = user_1.get_attr_val_int('entryusn')
user_1.delete()
time.sleep(1) # Gives a little time for tombstone creation to complete
ts = tombstones.get(user_rdn)
ts_usn = ts.get_attr_val_int('entryusn')
assert (user_usn + 1) == ts_usn
user_1 = users.create_test_user()
org = OrganizationalUnit(inst, f"ou=People,{DEFAULT_SUFFIX}")
org.replace('description', 'update_ts')
ou_usn_before = org.get_attr_val_int('entryusn')
try:
org.delete()
except ldap.NOT_ALLOWED_ON_NONLEAF:
pass
ou_usn_after = org.get_attr_val_int('entryusn')
assert ou_usn_before == ou_usn_after
finally:
try:
user_1.delete()
except ldap.NO_SUCH_OBJECT:
pass
def test_connection_from_an_unauthorized_network(topo, add_user, aci_of_user):
"""
User cannot access the data when connectin from an unauthorized network as per the ACI.
:id: 52d1ecce-7ac5-11e8-9ad9-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
old_hostname = socket.gethostname()
socket.sethostname('localhost')
hostname = socket.gethostname()
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "IP aci"; '
f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
f'and (ip != "127.0.0.1" and ip != "::1") ;)')
# create a new connection for the test
new_uri = topo.standalone.ldapuri.replace(old_hostname, hostname)
topo.standalone.ldapuri = new_uri
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
topo.standalone.config.set('nsslapd-errorlog-level', '128')
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
# Remove the ACI
domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
# Add new ACI
domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1") ;)')
time.sleep(1)
# now user can access data
org.replace("seeAlso", "cn=1")
def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
"""
User cannot access the data when connectin from an unauthorized network as per the ACI.
:id:52d1ecce-7ac5-11e8-9ad9-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
ip_ip = topo.standalone.ds_access_log.match(
'.* connection from ')[0].split()[-1]
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci", f'(target = "ldap:///{IP_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "IP aci"; '
f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
f'and ip != "{ip_ip}" ;)')
# create a new connection for the test
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
# Remove the ACI
domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
# Add new ACI
domain.add(
'aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
# now user can access data
org.replace("seeAlso", "cn=1")
def test_timeofday_keyword(topo, add_user, aci_of_user):
"""
User NOWORKER_KEY can access the data as per the ACI after removing
ACI it cant.
:id: 681dd58e-7ac5-11e8-bed1-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
now = time.strftime("%c")
now_1 = "".join(now.split()[3].split(":"))[:4]
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
f'and timeofday = \'{now_1}\' ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
org.replace("seeAlso", "cn=1")
# Remove ACI
aci = domain.get_attr_vals_utf8('aci')[-1]
domain.ensure_removed('aci', aci)
assert aci not in domain.get_attr_vals_utf8('aci')
# after removing the ACI user cannot access the data
time.sleep(1)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_anonymous_user_cannot_access_the_data(topo, add_user, aci_of_user):
"""Anonymous user cannot access the data
:id: 0821a55c-7ac5-11e8-b214-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
_add_aci(topo, NONE_ACI_KEY)
# Create a new connection for this test.
conn = Anonymous(topo.standalone).bind()
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
