def test_ri_and_mep_cache_corruption(topology_st):
"""Test RI plugin aborts change after MEP plugin fails.
This is really testing the entry cache for corruption
:id: 70d0b96e-b693-4bf7-bbf5-102a66ac5995
:setup: Standalone instance
:steps: 1. Enable and configure mep and ri plugins
2. Add user and add it to a group
3. Disable MEP plugin and remove MEP group
4. Delete user
5. Check that user is still a member of the group
:expectedresults:
1. Success
2. Success
3. Success
4. It fails with NO_SUCH_OBJECT
5. Success
"""
# Start plugins
topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on')
mep_plugin = ManagedEntriesPlugin(topology_st.standalone)
mep_plugin.enable()
ri_plugin = ReferentialIntegrityPlugin(topology_st.standalone)
ri_plugin.enable()
# Add our org units
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.create(properties={'ou': 'managed_people'})
ou_groups = ous.create(properties={'ou': 'managed_groups'})
# Configure MEP
mep_templates = MEPTemplates(topology_st.standalone, DEFAULT_SUFFIX)
mep_template1 = mep_templates.create(
properties={
'cn':
'MEP template',
'mepRDNAttr':
'cn',
'mepStaticAttr':
'objectclass: posixGroup|objectclass: extensibleObject'.split('|'),
'mepMappedAttr':
'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
})
mep_configs = MEPConfigs(topology_st.standalone)
mep_configs.create(
properties={
'cn': 'config',
'originScope': ou_people.dn,
'originFilter': 'objectclass=posixAccount',
'managedBase': ou_groups.dn,
'managedTemplate': mep_template1.dn
})
# Add an entry that meets the MEP scope
users = UserAccounts(topology_st.standalone,
DEFAULT_SUFFIX,
rdn='ou={}'.format(ou_people.rdn))
user = users.create(
properties={
'uid': 'test-user1',
'cn': 'test-user',
'sn': 'test-user',
'uidNumber': '10011',
'gidNumber': '20011',
'homeDirectory': '/home/test-user1'
})
# Add group
groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
user_group = groups.ensure_state(properties={
'cn': 'group',
'member': user.dn
})
# Check if a managed group entry was created
mep_group = Group(topology_st.standalone,
dn='cn={},{}'.format(user.rdn, ou_groups.dn))
if not mep_group.exists():
log.fatal("MEP group was not created for the user")
assert False
# Test MEP be txn pre op failure does not corrupt entry cache
# Should get the same exception for both rename attempts
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
mep_group.rename("cn=modrdn group")
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
mep_group.rename("cn=modrdn group")
# Mess with MEP so it fails
mep_plugin.disable()
mep_group.delete()
mep_plugin.enable()
# Add another group to verify entry cache is not corrupted
test_group = groups.create(properties={'cn': 'test_group'})
# Delete user, should fail in MEP be txn post op, and user should still be a member
with pytest.raises(ldap.NO_SUCH_OBJECT):
user.delete()
# Verify membership is intact
if not user_group.is_member(user.dn):
log.fatal(
"Member was incorrectly removed from the group!! Or so it seems")
# Restart server and test again in case this was a cache issue
topology_st.standalone.restart()
if user_group.is_member(user.dn):
log.info("The entry cache was corrupted")
assert False
assert False
# Verify test group is still found in entry cache by deleting it
test_group.delete()
# Success
log.info("Test PASSED")
def test_ri_and_mep_cache_corruption(topology_st):
"""Test RI plugin aborts change after MEP plugin fails.
This is really testing the entry cache for corruption
:id: 70d0b96e-b693-4bf7-bbf5-102a66ac5995
:setup: Standalone instance
:steps: 1. Enable and configure mep and ri plugins
2. Add user and add it to a group
3. Disable MEP plugin and remove MEP group
4. Delete user
5. Check that user is still a member of the group
:expectedresults:
1. Success
2. Success
3. Success
4. It fails with NO_SUCH_OBJECT
5. Success
"""
# Add ACI so we can test that non-DM user can't delete managed entry
domain = Domain(topology_st.standalone, DEFAULT_SUFFIX)
ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
ACI_TARGETATTR = "(targetattr = *)"
ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
domain.add('aci', ACI_BODY)
# Start plugins
topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on')
mep_plugin = ManagedEntriesPlugin(topology_st.standalone)
mep_plugin.enable()
ri_plugin = ReferentialIntegrityPlugin(topology_st.standalone)
ri_plugin.enable()
# Add our org units
ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
ou_people = ous.create(properties={'ou': 'managed_people'})
ou_groups = ous.create(properties={'ou': 'managed_groups'})
# Configure MEP
mep_templates = MEPTemplates(topology_st.standalone, DEFAULT_SUFFIX)
mep_template1 = mep_templates.create(properties={
'cn': 'MEP template',
'mepRDNAttr': 'cn',
'mepStaticAttr': 'objectclass: groupOfNames|objectclass: extensibleObject'.split('|'),
'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
})
mep_configs = MEPConfigs(topology_st.standalone)
mep_configs.create(properties={'cn': 'config',
'originScope': ou_people.dn,
'originFilter': 'objectclass=posixAccount',
'managedBase': ou_groups.dn,
'managedTemplate': mep_template1.dn})
# Add an entry that meets the MEP scope
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX,
rdn='ou={}'.format(ou_people.rdn))
user = users.create(properties={
'uid': 'test-user1',
'cn': 'test-user',
'sn': 'test-user',
'uidNumber': '10011',
'gidNumber': '20011',
'homeDirectory': '/home/test-user1'
})
user.reset_password(USER_PASSWORD)
user_bound_conn = user.bind(USER_PASSWORD)
# Add group
groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
user_group = groups.ensure_state(properties={'cn': 'group', 'member': user.dn})
# Check if a managed group entry was created
mep_group = Group(topology_st.standalone, dn='cn={},{}'.format(user.rdn, ou_groups.dn))
if not mep_group.exists():
log.fatal("MEP group was not created for the user")
assert False
# Test MEP be txn pre op failure does not corrupt entry cache
# Should get the same exception for both rename attempts
# Try to remove the entry while bound as Admin (non-DM)
managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
managed_entry_user_conn = managed_groups_user_conn.get(user.rdn)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
managed_entry_user_conn.rename("cn=modrdn group")
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
managed_entry_user_conn.rename("cn=modrdn group")
# Mess with MEP so it fails
mep_plugin.disable()
users_mep_group = UserAccounts(topology_st.standalone, mep_group.dn, rdn=None)
users_mep_group.create_test_user(1001)
mep_plugin.enable()
# Add another group to verify entry cache is not corrupted
test_group = groups.create(properties={'cn': 'test_group'})
# Try to delete user - it fails because managed entry can't be deleted
with pytest.raises(ldap.NOT_ALLOWED_ON_NONLEAF):
user.delete()
# Verify membership is intact
if not user_group.is_member(user.dn):
log.fatal("Member was incorrectly removed from the group!! Or so it seems")
# Restart server and test again in case this was a cache issue
topology_st.standalone.restart()
if user_group.is_member(user.dn):
log.info("The entry cache was corrupted")
assert False
assert False
# Verify test group is still found in entry cache by deleting it
test_group.delete()
# Success
log.info("Test PASSED")
