def test_nestedrole(topo, _final):
"""
:id: d52a9cw0-3bg6-11e9-9b7b-8c16451d917t
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
managed_role1 = managed_roles.create(properties={"cn": 'managed_role1'})
managed_role2 = managed_roles.create(properties={"cn": 'managed_role2'})
# Create nested role entry
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_role = nested_roles.create(
properties={
"cn": 'nested_role',
"nsRoleDN": [managed_role1.dn, managed_role2.dn]
})
# Create user and assign managed role to it
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user1 = users.create_test_user(uid=1, gid=1)
user1.set('nsRoleDN', managed_role1.dn)
user1.set('userPassword', PW_DM)
# Create another user and assign managed role to it
user2 = users.create_test_user(uid=2, gid=2)
user2.set('nsRoleDN', managed_role2.dn)
user2.set('userPassword', PW_DM)
# Create another user and do not assign any role to it
user3 = users.create_test_user(uid=3, gid=3)
user3.set('userPassword', PW_DM)
# Create a ACI with deny access to nested role entry
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', f'(targetattr=*)(version 3.0; aci '
f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)')
# Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1
# and search while bound as the user
conn = users.get('test_user_1').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_2,ou=People,dc=example,dc=com' member of managed_role2
# and search while bound as the user
conn = users.get('test_user_2').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_3,ou=People,dc=example,dc=com' and
# search while bound as the user
conn = users.get('test_user_3').bind(PW_DM)
assert UserAccounts(conn, DEFAULT_SUFFIX).list()
def test_usandsconf_dbgen_nested_role(topology_st, set_log_file_and_ldif):
"""Test ldifgen (formerly dbgen) tool to create a nested role
:id: 97fff0a8-3103-4adb-be04-2799ff58d8f1
:setup: Standalone instance
:steps:
1. Create DS instance
2. Run ldifgen to generate ldif with nested role
3. Import generated ldif to database
4. Check it was properly imported
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
LDAP_RESULT = 'adding new entry "cn=My_Nested_Role,ou=nested roles,dc=example,dc=com"'
standalone = topology_st.standalone
args = FakeArgs()
args.NAME = 'My_Nested_Role'
args.parent = 'ou=nested roles,dc=example,dc=com'
args.create_parent = True
args.type = 'nested'
args.filter = None
args.role_dn = ['cn=some_role,ou=roles,dc=example,dc=com']
args.ldif_file = ldif_file
content_list = [
'Generating LDIF with the following options:',
'NAME={}'.format(args.NAME), 'parent={}'.format(args.parent),
'create-parent={}'.format(args.create_parent),
'type={}'.format(args.type), 'role-dn={}'.format(args.role_dn),
'ldif-file={}'.format(args.ldif_file), 'Writing LDIF',
'Successfully created LDIF file: {}'.format(args.ldif_file)
]
log.info('Run ldifgen to create nested role ldif')
dbgen_create_role(standalone, log, args)
log.info('Check if file exists')
assert os.path.exists(ldif_file)
check_value_in_log_and_reset(content_list)
# Groups, COS, Roles and modification ldifs are designed to be used by ldapmodify, not ldif2db
run_ldapmodify_from_file(standalone, ldif_file, LDAP_RESULT)
log.info('Check that nested role is imported')
roles = NestedRoles(standalone, DEFAULT_SUFFIX)
assert roles.exists(args.NAME)
new_role = roles.get(args.NAME)
assert new_role.present('nsRoleDN', args.role_dn[0])
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
And restore nsslapd-ignore-virtual-attrs to default
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def _add_user(request, topo):
"""
A Function that will create necessary users delete the created user
"""
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou_ou = ous.create(properties={'ou': 'roledntest'})
ou_ou.set('aci', [
f'(target="ldap:///{NESTED_ROLE_TESTER}")(targetattr="*") '
f'(version 3.0; aci "nested role aci"; allow(all)'
f'roledn = "ldap:///{ROLE2}";)',
f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
f'(version 3.0; aci "or role aci"; allow(all) '
f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "anyone role aci"; allow(all) '
f'roledn = "ldap:///anyone";)',
f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "not role aci"; allow(all)'
f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'
])
nestedroles = NestedRoles(topo.standalone, OU_ROLE)
for i in [('role2', [ROLE1, ROLE21]), ('role3', [ROLE2, ROLE31])]:
nestedroles.create(properties={'cn': i[0], 'nsRoleDN': i[1]})
managedroles = ManagedRoles(topo.standalone, OU_ROLE)
for i in ['ROLE1', 'ROLE21', 'ROLE31']:
managedroles.create(properties={'cn': i})
filterroles = FilteredRoles(topo.standalone, OU_ROLE)
filterroles.create(
properties={
'cn': 'filterRole',
'nsRoleFilter': 'sn=Dr Drake',
'description': 'filter role tester'
})
users = UserAccounts(topo.standalone, OU_ROLE, rdn=None)
for i in [('STEVE_ROLE', ROLE1, 'Has roles 1, 2 and 3.'),
('HARRY_ROLE', ROLE21, 'Has roles 21, 2 and 3.'),
('MARY_ROLE', ROLE31, 'Has roles 31 and 3.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'nsRoleDN': i[1],
'Description': i[2]
})
for i in [('JOE_ROLE', 'Has filterRole.'), ('NOROLEUSER', 'Has no roles.'),
('SCRACHENTRY', 'Entry to test rights on.'),
('all access', 'Everyone has acccess (incl anon).'),
('not rule access', 'Only accessible to mary.'),
('or rule access',
'Only to steve and harry but nbot mary or anon'),
('nested role tester', 'Only accessible to harry and steve.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'Description': i[1]
})
# Setting SN for user JOE
UserAccount(topo.standalone,
f'uid=JOE_ROLE,ou=roledntest,{DEFAULT_SUFFIX}').set(
'sn', 'Dr Drake')
def fin():
"""
It will delete the created users
"""
for i in users.list() + managedroles.list() + nestedroles.list():
i.delete()
request.addfinalizer(fin)