def test_user_binds_without_any_password_and_cannot_access_the_data(
topo, add_user, aci_of_user):
"""User binds without any password and cannot access the data
:id: 205777fa-7ac5-11e8-ba2f-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
_add_aci(topo, SIMPLE_ACI_KEY)
# Create a new connection for this test.
conn = Anonymous(topo.standalone).bind()
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_expected_two(
topo, _add_user, aci_of_user, request):
"""Testing the targattrfilters keyword that allows access control based on the value of
the attributes being added (or deleted))
Test that we can have targattrfilters and search permissions and that ldapsearch works as expected.
:id: e25d116e-7aa9-11e8-81d8-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr="secretary || objectclass || mail")(targattrfilters = ' \
'"add=title:(title=arch*)")(version 3.0; acl "{}"; allow ' \
'(write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(request.node.name)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = Anonymous(topo.standalone).bind()
user = UserAccount(conn, USER_DELADD)
#targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_expected
assert user.get_attr_vals('secretary')
assert user.get_attr_vals('mail')
assert user.get_attr_vals('objectclass')
def test_we_can_search_as_expected(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
Test that we can search as expected
:id:e845dbba-7aa9-11e8-8988-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target="ldap:///cn=*,ou=Product Development, {}")' \
'(targetfilter="cn=Jeff*")(targetattr="secretary || objectclass || mail")' \
'(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = Anonymous(topo.standalone).bind()
# aci will allow secretary , mail , objectclass
user = UserAccount(conn, USER_DELADD)
assert user.get_attr_vals('secretary')
assert user.get_attr_vals('mail')
assert user.get_attr_vals('objectclass')
def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
"""Misc Test 6 only allow some targetattr (2/2)"
:id: a188239c-7db8-11e8-903e-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
for i in range(5):
user = uas.create_test_user(uid=i, gid=i)
user.replace_many(('mail', '*****@*****.**'), ('cn', 'Anuj'),
('userPassword', PW_DM))
user1 = uas.create_test_user()
user1.replace_many(('mail', '*****@*****.**'),
('userPassword', PW_DM))
Domain(topo.standalone, DEFAULT_SUFFIX).\
replace("aci", '(target="ldap:///{}") (targetattr="mail||objectClass")'
'(targetfilter="cn=Anuj") (version 3.0; acl "{}"; '
'allow (compare,read,search) '
'(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX, request.node.name))
conn = UserAccount(topo.standalone, user.dn).bind(PW_DM)
# aci will allow only mail targetattr but only for cn=Anuj
account = Accounts(conn, DEFAULT_SUFFIX)
assert len(account.filter('(mail=*)')) == 5
assert not account.filter('(cn=*)')
for i in account.filter('(mail=*)'):
assert i.get_attr_val_utf8('mail') == '*****@*****.**'
conn = Anonymous(topo.standalone).bind()
# aci will allow only mail targetattr but only for cn=Anuj
account = Accounts(conn, DEFAULT_SUFFIX)
assert len(account.filter('(mail=*)')) == 5
assert not account.filter('(cn=*)')
for i in account.filter('(mail=*)'):
assert i.get_attr_val_utf8('mail') == '*****@*****.**'
# with root no blockage
assert len(Accounts(topo.standalone,
DEFAULT_SUFFIX).filter('(mail=*)')) == 6
for i in uas.list():
i.delete()
def test_ldap_auth_token_anonymous(topology):
""" Test token auth with Anonymous is denied.
:id: 966068c3-fbc6-468d-a554-18d68d1d895b
:setup: Standalone instance
:steps:
1. Attempt to generate a token as Anonymous
:expectedresults:
1. Fails
"""
topology.standalone.enable_tls()
topology.standalone.config.set('nsslapd-enable-ldapssotoken',
'on') # enable it.
anon_conn = Anonymous(topology.standalone).bind()
# Build the request
req = LdapSSOTokenRequest()
# Get the response
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
(_, res) = anon_conn.extop_s(req, escapehatch='i am sure')
def test_mod_anonseealso_positive(topo, _add_user, _aci_of_user, entry):
"""
Testing the roledn keyword that allows access control
based on the role of the bound user.
:id: c3eb41ac-79f4-11e8-aa8b-8c16451d917b
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = Anonymous(topo.standalone).bind()
UserAccount(conn, entry).replace('seeAlso', 'cn=1')
def test_allow_write_access_to_userdn_all(topo, aci_of_user, cleanup_tree):
"""
Modify Test 3 Allow write access to userdn 'all'
:id:70c58818-7abf-11e8-afa1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///all") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to userdn 'all'
conn = Anonymous(topo.standalone).bind()
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccount(conn, USER_DELADD).add("title", "Architect")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
UserAccount(conn, USER_DELADD).add("title", "Architect")
assert UserAccount(conn, USER_DELADD).get_attr_val('title')
def test_allow_write_access_to_targetattr_with_multiple_attibutes(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 2 Allow write access to targetattr with multiple attibutes
:id:6b9f05c6-7abf-11e8-9ba1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "telephonenumber || roomnumber")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to targetattr with multiple attibutes
conn = Anonymous(topo.standalone).bind()
ua = UserAccount(conn, USER_DELADD)
ua.add("telephonenumber", "+1 408 555 1212")
assert ua.get_attr_val('telephonenumber')
ua.add("roomnumber", "101")
assert ua.get_attr_val('roomnumber')
def test_mod_anonseealso_negaive(topo, _add_user, _aci_of_user, entry):
"""
Testing the roledn keyword that do not allows access control
based on the role of the bound user.
:id: d385611a-79f4-11e8-adc8-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = Anonymous(topo.standalone).bind()
user = UserAccount(conn, entry)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace('seeAlso', 'cn=1')
def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
"""Misc Test 2 accept aci in addition to acl
:id: 8e9408fa-7db8-11e8-adaa-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone,
DEFAULT_SUFFIX,
rdn='ou=product development')
user = uas.create_test_user()
for i in [('mail', '*****@*****.**'), ('givenname', 'Anuj'),
('userPassword', PW_DM)]:
user.set(i[0], i[1])
aci_target = "(targetattr=givenname)"
aci_allow = (
'(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)'
)
aci_subject = 'userdn="ldap:///anyone";)'
Domain(topo.standalone,
CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject)
conn = Anonymous(topo.standalone).bind()
# aci will block targetattr=givenname to anyone
user = UserAccount(conn, user.dn)
with pytest.raises(AssertionError):
assert user.get_attr_val_utf8('givenname') == 'Anuj'
# aci will allow targetattr=uid to anyone
assert user.get_attr_val_utf8('uid') == 'test_user_1000'
for i in uas.list():
i.delete()
def test_only_allow_some_targetattr(topo, clean, aci_of_user):
"""Misc Test 5 only allow some targetattr (1/2)
:id: 9d27f048-7db8-11e8-a71c-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
for i in range(1, 3):
user = uas.create_test_user(uid=i, gid=i)
user.replace_many(('cn', 'Anuj1'), ('mail', '*****@*****.**'))
Domain(topo.standalone, DEFAULT_SUFFIX).\
replace("aci", '(target="ldap:///{}")(targetattr="mail||objectClass")'
'(version 3.0; acl "Test";allow (read,search,compare) '
'(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX))
conn = Anonymous(topo.standalone).bind()
accounts = Accounts(conn, DEFAULT_SUFFIX)
# aci will allow only mail targetattr
assert len(accounts.filter('(mail=*)')) == 2
# aci will allow only mail targetattr
assert not accounts.filter('(cn=*)', scope=1)
# with root no , blockage
assert len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)',
scope=1)) == 2
for i in uas.list():
i.delete()
def test_anonymous_user_cannot_access_the_data(topo, add_user, aci_of_user):
"""Anonymous user cannot access the data
:id: 0821a55c-7ac5-11e8-b214-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
_add_aci(topo, NONE_ACI_KEY)
# Create a new connection for this test.
conn = Anonymous(topo.standalone).bind()
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
