def test_nestedrole(topo, _final):
"""
:id: d52a9cw0-3bg6-11e9-9b7b-8c16451d917t
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
managed_role1 = managed_roles.create(properties={"cn": 'managed_role1'})
managed_role2 = managed_roles.create(properties={"cn": 'managed_role2'})
# Create nested role entry
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_role = nested_roles.create(
properties={
"cn": 'nested_role',
"nsRoleDN": [managed_role1.dn, managed_role2.dn]
})
# Create user and assign managed role to it
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user1 = users.create_test_user(uid=1, gid=1)
user1.set('nsRoleDN', managed_role1.dn)
user1.set('userPassword', PW_DM)
# Create another user and assign managed role to it
user2 = users.create_test_user(uid=2, gid=2)
user2.set('nsRoleDN', managed_role2.dn)
user2.set('userPassword', PW_DM)
# Create another user and do not assign any role to it
user3 = users.create_test_user(uid=3, gid=3)
user3.set('userPassword', PW_DM)
# Create a ACI with deny access to nested role entry
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', f'(targetattr=*)(version 3.0; aci '
f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)')
# Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1
# and search while bound as the user
conn = users.get('test_user_1').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_2,ou=People,dc=example,dc=com' member of managed_role2
# and search while bound as the user
conn = users.get('test_user_2').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_3,ou=People,dc=example,dc=com' and
# search while bound as the user
conn = users.get('test_user_3').bind(PW_DM)
assert UserAccounts(conn, DEFAULT_SUFFIX).list()
def fin():
topo.standalone.restart()
try:
role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1')
role.delete()
except:
pass
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_usandsconf_dbgen_managed_role(topology_st, set_log_file_and_ldif):
"""Test ldifgen (formerly dbgen) tool to create a managed role
:id: 10e77b41-0bc1-4ad5-a144-2c5107455b91
:setup: Standalone instance
:steps:
1. Create DS instance
2. Run ldifgen to generate ldif with managed role
3. Import generated ldif to database
4. Check it was properly imported
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
LDAP_RESULT = 'adding new entry "cn=My_Managed_Role,ou=managed roles,dc=example,dc=com"'
standalone = topology_st.standalone
args = FakeArgs()
args.NAME = 'My_Managed_Role'
args.parent = 'ou=managed roles,dc=example,dc=com'
args.create_parent = True
args.type = 'managed'
args.filter = None
args.role_dn = None
args.ldif_file = ldif_file
content_list = [
'Generating LDIF with the following options:',
'NAME={}'.format(args.NAME), 'parent={}'.format(args.parent),
'create-parent={}'.format(args.create_parent),
'type={}'.format(args.type), 'ldif-file={}'.format(args.ldif_file),
'Writing LDIF',
'Successfully created LDIF file: {}'.format(args.ldif_file)
]
log.info('Run ldifgen to create managed role ldif')
dbgen_create_role(standalone, log, args)
log.info('Check if file exists')
assert os.path.exists(ldif_file)
check_value_in_log_and_reset(content_list)
# Groups, COS, Roles and modification ldifs are designed to be used by ldapmodify, not ldif2db
run_ldapmodify_from_file(standalone, ldif_file, LDAP_RESULT)
log.info('Check that managed role is imported')
roles = ManagedRoles(standalone, DEFAULT_SUFFIX)
assert roles.exists(args.NAME)
def fin():
topo.standalone.restart()
try:
filtered_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
for i in filtered_roles.list():
i.delete()
except:
pass
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON"
)
topo.standalone.restart()
assert topo.standalone.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
And restore nsslapd-ignore-virtual-attrs to default
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_vattr_on_managed_role_replication(topo, request):
"""Test nsslapd-ignore-virtual-attrs configuration attribute
The attribute is ON by default. If a managed role is
added it is moved to OFF in replcation scenario
:id: 446f2fc3-bbb2-4835-b14a-cb855db78c6f
:customerscenario: True
:setup: Supplier Consumer
:steps:
1. Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config over consumer
2. Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON over consumer
3. Create a managed role in supplier
4. Check the value of nsslapd-ignore-virtual-attrs should be OFF over consumer
5. Check a message "roles_cache_trigger_update_role - Because of virtual attribute.." in error logs of consumer
6. Check after deleting role definition value of attribute nsslapd-ignore-virtual-attrs is set back to ON over consumer
:expectedresults:
1. This should be successful
2. This should be successful
3. This should be successful
4. This should be successful
5. This should be successful
6. This should be successful
"""
s = topo.ms['supplier1']
c = topo.cs['consumer1']
log.info(
"Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config"
)
assert c.config.present('nsslapd-ignore-virtual-attrs')
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON"
)
assert c.config.get_attr_val_utf8('nsslapd-ignore-virtual-attrs') == "on"
log.info("Create a managed role")
roles = ManagedRoles(s, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be OFF"
)
time.sleep(5)
assert c.config.present('nsslapd-ignore-virtual-attrs', 'off')
c.stop()
assert c.searchErrorsLog(
"roles_cache_trigger_update_role - Because of virtual attribute definition \(role\), nsslapd-ignore-virtual-attrs was set to \'off\'"
)
def fin():
s.restart()
c.restart()
try:
filtered_roles = ManagedRoles(s, DEFAULT_SUFFIX)
for i in filtered_roles.list():
i.delete()
except:
pass
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON"
)
s.restart()
c.restart()
assert c.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
request.addfinalizer(fin)
def _add_user(request, topo):
"""
A Function that will create necessary users delete the created user
"""
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou_ou = ous.create(properties={'ou': 'roledntest'})
ou_ou.set('aci', [
f'(target="ldap:///{NESTED_ROLE_TESTER}")(targetattr="*") '
f'(version 3.0; aci "nested role aci"; allow(all)'
f'roledn = "ldap:///{ROLE2}";)',
f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
f'(version 3.0; aci "or role aci"; allow(all) '
f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "anyone role aci"; allow(all) '
f'roledn = "ldap:///anyone";)',
f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "not role aci"; allow(all)'
f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'
])
nestedroles = NestedRoles(topo.standalone, OU_ROLE)
for i in [('role2', [ROLE1, ROLE21]), ('role3', [ROLE2, ROLE31])]:
nestedroles.create(properties={'cn': i[0], 'nsRoleDN': i[1]})
managedroles = ManagedRoles(topo.standalone, OU_ROLE)
for i in ['ROLE1', 'ROLE21', 'ROLE31']:
managedroles.create(properties={'cn': i})
filterroles = FilteredRoles(topo.standalone, OU_ROLE)
filterroles.create(
properties={
'cn': 'filterRole',
'nsRoleFilter': 'sn=Dr Drake',
'description': 'filter role tester'
})
users = UserAccounts(topo.standalone, OU_ROLE, rdn=None)
for i in [('STEVE_ROLE', ROLE1, 'Has roles 1, 2 and 3.'),
('HARRY_ROLE', ROLE21, 'Has roles 21, 2 and 3.'),
('MARY_ROLE', ROLE31, 'Has roles 31 and 3.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'nsRoleDN': i[1],
'Description': i[2]
})
for i in [('JOE_ROLE', 'Has filterRole.'), ('NOROLEUSER', 'Has no roles.'),
('SCRACHENTRY', 'Entry to test rights on.'),
('all access', 'Everyone has acccess (incl anon).'),
('not rule access', 'Only accessible to mary.'),
('or rule access',
'Only to steve and harry but nbot mary or anon'),
('nested role tester', 'Only accessible to harry and steve.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'Description': i[1]
})
# Setting SN for user JOE
UserAccount(topo.standalone,
f'uid=JOE_ROLE,ou=roledntest,{DEFAULT_SUFFIX}').set(
'sn', 'Dr Drake')
def fin():
"""
It will delete the created users
"""
for i in users.list() + managedroles.list() + nestedroles.list():
i.delete()
request.addfinalizer(fin)
def _create_test_entries(topo):
# Changing schema
current_schema = Schema(topo.standalone)
current_schema.add(
'attributetypes',
"( 9.9.8.4 NAME 'emailclass' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 "
"X-ORIGIN 'RFC 2256' )")
current_schema.add(
'objectclasses',
"( 9.9.8.2 NAME 'mailSchemeUser' DESC 'User Defined ObjectClass' "
"SUP 'top' MUST ( objectclass ) "
"MAY (aci $ emailclass) X-ORIGIN 'RFC 2256' )")
# Creating ous
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
for ou_ou in [
'Çéliné Ändrè',
'Ännheimè',
'Çlose Crèkä',
'Sàn Fråncêscô',
'Netscape Servers',
'COS',
]:
ous.create(properties={'ou': ou_ou})
ous_mail = OrganizationalUnits(topo.standalone, f'ou=COS,{DEFAULT_SUFFIX}')
ous_mail.create(properties={'ou': 'MailSchemeClasses'})
# Creating users
users_people = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for user, org, l_l, telephone, facetele, rn_rn in [
[
'scarter', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '4612'
],
[
'tmorris', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9187', '+1 408 555 8473', '4117'
],
[
'kvaughan', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 5625', ' +1 408 555 3372', '2871'
],
[
'abergin', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 8585', '+1 408 555 7472', '3472'
],
[
'dmiller', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 9423', '+1 408 555 0111', '4135'
],
[
'gfarmer', ['Accounting', 'People'], 'Cupertino',
'+1 408 555 6201', '+1 408 555 8473', '1269'
],
[
'kwinters', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9069', '+1 408 555 1992', '4178'
],
[
'trigden', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9280', '+1 408 555 8473', '3584'
],
[
'cschmith', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 8011', '+1 408 555 4774', '0416'
],
[
'jwallace', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 0319', '+1 408 555 8473', '1033'
],
[
'jwalker', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 1476', '+1 408 555 1992', '3915'
],
[
'tclow', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 8825', '+1 408 555 1992', '4376'
],
[
'rdaugherty', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 1296', '+1 408 555 1992', '0194'
],
[
'jreuter', ['Product Testing', 'People'], 'Cupertino',
'+1 408 555 1122', '+1 408 555 8721', '2942'
],
[
'tmason', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 1596', '+1 408 555 9751', '1124'
],
[
'bhall', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '4612'
],
[
'btalbot', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '3532'
],
[
'mward', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1707'
],
[
'bjablons', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '0906'
],
[
'jmcFarla', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '2359'
],
[
'llabonte', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '2854'
],
[
'jcampaig', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '4385'
],
[
'bhal2', ['Accounting', 'People'], 'Sunnyvale', '+1 408 555 6067',
'+1 408 555 9751', '2758'
],
[
'alutz', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1327'
],
[
'btalbo2', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1205'
],
[
'achassin', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '0466'
],
[
'hmiller', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '4304'
],
[
'jcampai2', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1377'
],
[
'lulrich', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '0985'
],
[
'mlangdon', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '4471'
],
[
'striplet', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3083'
],
[
'gtriplet', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 6067', '+1 408 555 9751', '4023'
],
[
'jfalena', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '1917'
],
[
'speterso', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 6067', '+1 408 555 9751', '3073'
],
[
'ejohnson', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3737'
],
[
'prigden', ['Accounting', 'People'], 'Santa', '+1 408 555 6067',
'+1 408 555 9751', '1271'
],
[
'bwalker', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 6067', '+1 408 555 9751', '3529'
],
[
'kjensen', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '1944'
],
[
'mlott', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '0498'
],
[
'cwallace', ['Product Development', 'People'], 'Cupertino',
'+1 408 555 4798', '+1 408 555 9751', '0349'
],
[
'falbers', ['Accounting', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '1439'
],
[
'calexand', ['Product Development', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '2884'
],
[
'phunt', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '1183'
],
[
'awhite', ['Product Testing', 'People'], 'Sunnyvale',
'+1 408 555 4798', '+1 408 555 9751', '0142'
],
[
'sfarmer', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '0019'
],
[
'jrentz', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '3025'
],
[
'ahall', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '3050'
],
[
'lstockto', ['Product Testing', 'People'], 'Santa Clara',
'+1 408 555 0518', '+1 408 555 4774', '0169'
],
[
'ttully', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 2274', '+1 408 555 0111', '3924'
],
[
'polfield', ['Human Resources', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '1376'
],
[
'scarte2', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4798', '+1 408 555 9751', '2013'
],
[
'tkelly', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 4295', '+1 408 555 1992', '3107'
],
[
'mmcinnis', ['Product Development', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '4818'
],
[
'brigden', ['Human Resources', 'People'], 'Sunnyvale',
'+1 408 555 9655', '+1 408 555 8721', '1643'
],
[
'mtyler', ['Human Resources', 'People'], 'Cupertino',
'+1 408 555 9655', '+1 408 555 8721', '2701'
],
[
'rjense2', ['Product Testing', 'People'], 'Sunnyvale',
'+1 408 555 9655', '+1 408 555 8721', '1984'
],
[
'rhunt', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0718'
],
[
'ptyler', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0327'
],
[
'gtyler', ['Accounting', 'People'], 'Santa Clara',
'+1 408 555 9655', '+1 408 555 8721', '0312'
]
]:
english_named_user(users_people, user, org, l_l, telephone, facetele,
rn_rn)
# Creating Users
users_annahame = UserAccounts(topo.standalone,
f'ou=Ännheimè,{DEFAULT_SUFFIX}',
rdn=None)
users_sanfran = UserAccounts(topo.standalone,
f'ou=Sàn Fråncêscô,{DEFAULT_SUFFIX}',
rdn=None)
users_andre = UserAccounts(topo.standalone,
f'ou=Çéliné Ändrè,{DEFAULT_SUFFIX}',
rdn=None)
users_close = UserAccounts(topo.standalone,
f'ou=Çlose Crèkä,{DEFAULT_SUFFIX}',
rdn=None)
for people, user, cn_cn, ou_ou, des, tele, facetele, be_be, lang in [
[
users_annahame, 'user0', 'Babette Ryndérs', 'Ännheimè',
'This is Babette Ryndérs description', '+1 415 788-4115',
'+1 804 849-2367', 'es', 'Babette Ryndérs'
],
[
users_sanfran, 'user1', 'mÿrty DeCoùrsin', 'Sàn Fråncêscô',
'This is mÿrty DeCoùrsins description', '+1 408 689-8883',
'+1 804 849-2367', 'ie', 'mÿrty DeCoùrsin'
],
[
users_sanfran, 'user3', 'Kéñnon Fùndérbùrg', 'Sàn Fråncêscô',
"This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883',
'+1 804 849-2367', 'it', 'Kéñnon Fùndérbùrg'
],
[
users_sanfran, 'user5', 'Dàsya Cozàrt', 'Sàn Fråncêscô',
"This is Dàsya Cozàrt's description", '+1 408 689-8883',
'+1 804 849-2367', 'be', 'Dàsya Cozàrt'
],
[
users_andre, 'user2', "Rôw O'Connér", 'Çéliné Ändrè',
"This is Rôw O'Connér's description", '+1 408 689-8883',
'+1 804 849-2367', 'it', "Rôw O'Connér"
],
[
users_andre, 'user4', 'Theadora Ebérle', 'Çéliné Ändrè',
"This is Kéñnon Fùndérbùrg's description", '+1 408 689-8883',
'+1 804 849-2367', 'de', 'Theadora Ebérle'
],
[
users_andre, 'user6', 'mÿrv Callânân', 'Çéliné Ändrè',
"This is mÿrv Callânân's description", '+1 408 689-8883',
'+1 804 849-2367', 'fr', 'mÿrv Callânân'
],
[
users_close, 'user7', 'Ñäthan Ovâns', 'Çlose Crèkä',
"This is Ñäthan Ovâns's description", '+1 408 689-8883',
'+1 804 849-2367', 'be', 'Ñäthan Ovâns'
]
]:
non_english_user(people, user, cn_cn, ou_ou, des, tele, facetele,
be_be, lang)
# Creating User Entry
for user, address, pin in [
['Secretary1', '123 Castro St., Mountain View, CA', '99999'],
['Secretary2', '234 Ellis St., Mountain View, CA', '88888'],
['Secretary3', '345 California Av., Mountain View, CA', '77777'],
['Secretary4', '456 Villa St., Mountain View, CA', '66666'],
['Secretary5', '567 University Av., Mountain View, CA', '55555']
]:
user_with_postal_code(users_people, user, address, pin)
# Adding properties to mtyler
mtyler = UserAccount(topo.standalone,
'uid=mtyler, ou=people, dc=example, dc=com')
for value1, value2 in [
('objectclass', ['mailSchemeUser', 'mailRecipient']),
('emailclass', 'vpemail'), ('mailquota', '600'),
('multiLineDescription',
'fromentry This is the special \2a attribute value')
]:
mtyler.add(value1, value2)
# Adding properties to rjense2
rjense2 = UserAccount(topo.standalone,
'uid=rjense2, ou=people, dc=example, dc=com')
for value1, value2 in [('objectclass', ['mailRecipient',
'mailSchemeUser']),
('emailclass', 'vpemail')]:
rjense2.add(value1, value2)
# Creating managed role
ManagedRoles(topo.standalone, DEFAULT_SUFFIX).create(
properties={
'description': 'This is the new managed role configuration',
'cn': 'new managed role'
})
# Creating filter role
filters = FilterRoles(topo.standalone, DEFAULT_SUFFIX)
filters.create(
properties={
'nsRoleFilter': '(uid=*wal*)',
'description': 'this is the new filtered role',
'cn': 'new filtered role'
})
filters.create(
properties={
'nsRoleFilter': '(&(postalCode=77777)(uid=*er*))',
'description': 'This is the new vddr filter role config',
'cn': 'new vaddr filtered role'
})
filters.create(
properties={
'nsRoleFilter': '(&(postalCode=66666)(l=Cupertino))',
'description': 'This is the new vddr filter role config',
'cn': 'another vaddr role'
})
def test_managedrole(topo):
"""Test Managed Role
:id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
# Create user and Assign the role to the entry
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
uas.create(
properties={
'uid': 'Fail',
'cn': 'Fail',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Fail',
'nsRoleDN': role.dn,
'userPassword': PW_DM
})
# Create user and do not Assign any role to the entry
uas.create(
properties={
'uid': 'Success',
'cn': 'Success',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Success',
'userPassword': PW_DM
})
# Assert that Manage role entry is created and its searchable
assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
== 'cn=ROLE1,dc=example,dc=com'
# Set an aci that will deny ROLE1 manage role
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', '(targetattr=*)(version 3.0; aci "role aci";'
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
# Crate a connection with cn=Fail which is member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access denied to ROLE1 members
assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()
# Now create a connection with cn=Success which is not a member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access allowed here
assert ManagedRoles(conn, DEFAULT_SUFFIX).list()
for i in uas.list():
i.delete()
for i in roles.list():
i.delete()
def test_vattr_on_managed_role(topo, request):
"""Test nsslapd-ignore-virtual-attrs configuration attribute
The attribute is ON by default. If a managed role is
added it is moved to OFF
:id: 664b722d-c1ea-41e4-8f6c-f9c87a212346
:customerscenario: True
:setup: Standalone instance
:steps:
1. Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config
2. Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON
3. Create a managed role
4. Check the value of nsslapd-ignore-virtual-attrs should be OFF
5. Check a message "roles_cache_trigger_update_role - Because of virtual attribute.." in error logs
6. Check after deleting role definition value of attribute nsslapd-ignore-virtual-attrs is set back to ON
:expectedresults:
1. This should be successful
2. This should be successful
3. This should be successful
4. This should be successful
5. This should be successful
6. This should be successful
"""
log.info(
"Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config"
)
assert topo.standalone.config.present('nsslapd-ignore-virtual-attrs')
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON"
)
assert topo.standalone.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
log.info("Create a managed role")
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be OFF"
)
assert topo.standalone.config.present('nsslapd-ignore-virtual-attrs',
'off')
topo.standalone.stop()
assert topo.standalone.searchErrorsLog(
"roles_cache_trigger_update_role - Because of virtual attribute definition \(role\), nsslapd-ignore-virtual-attrs was set to \'off\'"
)
def fin():
topo.standalone.restart()
try:
filtered_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
for i in filtered_roles.list():
i.delete()
except:
pass
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON"
)
topo.standalone.restart()
assert topo.standalone.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
request.addfinalizer(fin)
def test_managedrole(topo, request):
"""Test Managed Role
:id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
# Create user and Assign the role to the entry
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
uas.create(
properties={
'uid': 'Fail',
'cn': 'Fail',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Fail',
'nsRoleDN': role.dn,
'userPassword': PW_DM
})
# Create user and do not Assign any role to the entry
uas.create(
properties={
'uid': 'Success',
'cn': 'Success',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Success',
'userPassword': PW_DM
})
# Assert that Manage role entry is created and its searchable
assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
== 'cn=ROLE1,dc=example,dc=com'
# Set an aci that will deny ROLE1 manage role
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', '(targetattr="*")(version 3.0; aci "role aci";'
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
# Add self user modification and anonymous aci
ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
# Crate a connection with cn=Fail which is member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access denied to ROLE1 members
assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()
# Now create a connection with cn=Success which is not a member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access allowed here
assert ManagedRoles(conn, DEFAULT_SUFFIX).list()
for i in uas.list():
i.delete()
for i in roles.list():
i.delete()
def fin():
topo.standalone.restart()
try:
role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1')
role.delete()
except:
pass
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
request.addfinalizer(fin)
def _add_user(topo):
"""
This function will create user for the test and in the end entries will be deleted .
"""
role_aci_body = '(targetattr=*)(version 3.0; aci "role aci"; allow(all)'
# Creating OUs
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou_accounting = ous.create(properties={'ou': 'Accounting'})
ou_accounting.set('aci', [
f'(target="ldap:///{ROLEDNACCESS}"){role_aci_body} '
f'userattr = "Description#ROLEDN";)',
f'(target="ldap:///{USERDNACCESS}"){role_aci_body} '
f'userattr = "Description#USERDN";)',
f'(target="ldap:///{GROUPDNACCESS}"){role_aci_body} '
f'userattr = "Description#GROUPDN";)',
f'(target="ldap:///{LDAPURLACCESS}"){role_aci_body} '
f'userattr = "Description#LDAPURL";)',
f'(target="ldap:///{ATTRNAMEACCESS}"){role_aci_body} '
f'userattr = "Description#4612";)'
])
ou_inheritance = ous.create(
properties={
'ou': 'Inheritance',
'street': LEVEL_4,
'seeAlso': LEVEL_3,
'st': LEVEL_2,
'description': LEVEL_1,
'businessCategory': LEVEL_0
})
inheritance_aci_body = '(targetattr=*)(version 3.0; aci "Inheritance aci"; allow(all) '
ou_inheritance.set('aci', [
f'{inheritance_aci_body} '
f'userattr = "parent[0].businessCategory#USERDN";)',
f'{inheritance_aci_body} '
f'userattr = "parent[0,1].description#USERDN";)',
f'{inheritance_aci_body} '
f'userattr = "parent[0,1,2].st#USERDN";)', f'{inheritance_aci_body} '
f'userattr = "parent[0,1,2,3].seeAlso#USERDN";)',
f'{inheritance_aci_body} '
f'userattr = "parent[0,1,2,3,4].street#USERDN";)'
])
# Creating Users
users = UserAccounts(topo.standalone, OU, rdn=None)
for i in [['Anuj Borah', 'Sunnyvale', ROLE1, '4612'],
['Ananda Borah', 'Santa Clara', ROLE2, 'Its Unknown']]:
users.create(
properties={
'uid': i[0],
'cn': i[0].split()[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0].split()[0],
'userPassword': PW_DM,
'givenname': i[0].split()[0],
'l': i[1],
'mail': "*****@*****.**",
'telephonenumber': "+1 408 555 4798",
'facsimiletelephonenumber': "+1 408 555 9751",
'roomnumber': i[3],
'Description': i[3],
'nsRoleDN': i[2]
})
for demo1 in [('ROLEDNACCESS', ROLE1), ('USERDNACCESS', CAN),
('GROUPDNACCESS', NSSIMPLEGROUP), ('ATTRNAMEACCESS', '4612'),
('LDAPURLACCESS',
f"ldap:///{DEFAULT_SUFFIX}??sub?(l=Sunnyvale)")]:
users.create(
properties={
'uid': demo1[0],
'cn': demo1[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1[0],
'userPassword': PW_DM,
'Description': demo1[1]
})
# Creating roles
roles = ManagedRoles(topo.standalone, OU)
for i in ['ROLE1', 'ROLE2']:
roles.create(properties={"cn": i})
# Creating Groups
grps = Groups(topo.standalone, OU, rdn=None)
for i in [('NSSIMPLEGROUP', CAN), ('NSSIMPLEGROUP1', CANNOT)]:
grps.create(properties={'cn': i[0], 'ou': 'groups', 'member': i[1]})
users = UserAccounts(topo.standalone, OU_2, rdn=None)
for i in ['Grandson', 'Child', 'Parent', 'Grandparent', 'Ancestor']:
users.create(
properties={
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
})
# Creating Other OUs
for dn_dn in [(OU_2, 'ANCESTORS'), (ANCESTORS, 'GRANDPARENTS'),
(GRANDPARENTS, 'PARENTS'), (PARENTS, 'CHILDREN'),
(CHILDREN, 'GRANDSONS')]:
OrganizationalUnits(topo.standalone,
dn_dn[0]).create(properties={'ou': dn_dn[1]})
