def aci_with_attr_subtype(request, topology_m2):
"""Adds and deletes an ACI in the DEFAULT_SUFFIX"""
TARGET_ATTR = 'protectedOperation'
USER_ATTR = 'allowedToPerform'
SUBTYPE = request.param
suffix = Domain(topology_m2.ms["supplier1"], DEFAULT_SUFFIX)
log.info("========Executing test with '%s' subtype========" % SUBTYPE)
log.info(" Add a target attribute")
add_attr(topology_m2, TARGET_ATTR)
log.info(" Add a user attribute")
add_attr(topology_m2, USER_ATTR)
ACI_TARGET = '(targetattr=%s;%s)' % (TARGET_ATTR, SUBTYPE)
ACI_ALLOW = '(version 3.0; acl "test aci for subtypes"; allow (read) '
ACI_SUBJECT = 'userattr = "%s;%s#GROUPDN";)' % (USER_ATTR, SUBTYPE)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
log.info("Add an ACI with attribute subtype")
suffix.add('aci', ACI_BODY)
def fin():
log.info("Finally, delete an ACI with the '%s' subtype" %
SUBTYPE)
suffix.remove('aci', ACI_BODY)
request.addfinalizer(fin)
return ACI_BODY
def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
"""
bug 345643
Misc Test 4 search access should not include read access
:id:98ab173e-7db8-11e8-a309-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
assert Domain(topo.standalone, DEFAULT_SUFFIX).present('aci')
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr !="userPassword")'
'(version 3.0;acl "anonymous access";allow (search)'
'(userdn = "ldap:///anyone");)',
f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; '
'acl "allow self write";allow(write) '
'userdn = "ldap:///self";)',
f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; '
'acl "Allow all admin group"; allow(all) groupdn = "ldap:///cn=Directory '
'Administrators, {}";)'])
conn = Anonymous(topo.standalone).bind()
# search_access_should_not_include_read_access
suffix = Domain(conn, DEFAULT_SUFFIX)
with pytest.raises(AssertionError):
assert suffix.present('aci')
def aci_of_user(request, topo):
"""
:param request:
:param topo:
"""
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
aci_list = suffix.get_attr_vals('aci')
def finofaci():
"""
Removes and Restores ACIs after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
for i in aci_list:
domain.add("aci", i)
request.addfinalizer(finofaci)
def test_ruv_after_reindex(topo):
"""Test that the tombstone RUV entry is not corrupted after a reindex task
:id: 988c0fab-1905-4dc5-a45d-fbf195843a33
:setup: 2 suppliers
:steps:
1. Reindex database
2. Perform some updates
3. Check error log does not have "_entryrdn_insert_key" errors
:expectedresults:
1. Success
2. Success
3. Success
"""
inst = topo.ms['supplier1']
suffix = Domain(inst, "ou=people," + DEFAULT_SUFFIX)
backends = Backends(inst)
backend = backends.get(DEFAULT_BENAME)
# Reindex nsuniqueid
backend.reindex(attrs=['nsuniqueid'], wait=True)
# Do some updates
for idx in range(0, 5):
suffix.replace('description', str(idx))
# Check error log for RUV entryrdn errors. Stopping instance forces RUV
# to be written and quickly exposes the error
inst.stop()
assert not inst.searchErrorsLog("entryrdn_insert_key")
def test_hierarchy(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of
the attributes being added (or deleted))
Test that with two targattrfilters in the hierarchy that the general one applies.
This is the correct behaviour, even if it's a bit
:id:d7ae354a-7aa9-11e8-8b0d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
'allow (write) (userdn = "ldap:///anyone") ;)'
ACI_BODY1 = '(targattrfilters = "add=title:(title=architect)")(version 3.0; ' \
'acl "$tet_thistest"; allow (write) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY1)
_AddTitleWithRoot(topo, "engineer").add()
# aci will allow to add title architect
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
_ModTitleArchitectJeffVedder(topo, "architect", conn).add()
# aci will not allow to add title architect
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
_ModTitleArchitectJeffVedder(topo, "engineer", conn).add()
def create_user(topology_st):
"""User for binding operation"""
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
users.create(
properties={
'cn': TEST_USER_NAME,
'sn': TEST_USER_NAME,
'userpassword': TEST_USER_PWD,
'mail': '*****@*****.**' % TEST_USER_NAME,
'uid': TEST_USER_NAME,
'uidNumber': '1000',
'gidNumber': '1000',
'homeDirectory': '/home/test'
})
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
def _write_aci_staging(topology_m2, mod_type=None):
assert mod_type is not None
ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % STAGING_DN
ACI_ALLOW = "(version 3.0; acl \"write staging entries\"; allow (write)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_m2.ms["master1"], SUFFIX)
suffix.set('aci', ACI_BODY, mod_type)
def test_user(request, topo):
for demo in ['Product Development', 'Accounting', 'nestedgroup']:
OrganizationalUnit(topo.standalone, "ou={},{}".format(
demo, DEFAULT_SUFFIX)).create(properties={'ou': demo})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')
for demo1 in [
'DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL',
'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild'
]:
uas.create(
properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX,
'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')
for demo1 in ['c1', 'CHILD1_GLOBAL']:
uas.create(
properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=nestedgroup')
for i in [
('ALLGROUPS_GLOBAL', GROUPA_GLOBAL), ('GROUPA_GLOBAL', GROUPB_GLOBAL),
('GROUPB_GLOBAL', GROUPC_GLOBAL), ('GROUPC_GLOBAL', GROUPD_GLOBAL),
('GROUPD_GLOBAL', GROUPE_GLOBAL), ('GROUPE_GLOBAL', GROUPF_GLOBAL),
('GROUPF_GLOBAL', GROUPG_GLOBAL), ('GROUPG_GLOBAL', GROUPH_GLOBAL),
('GROUPH_GLOBAL', DEEPUSER_GLOBAL)
]:
grp.create(properties={
'cn': i[0],
'ou': 'groups',
'uniquemember': i[1]
})
def _write_aci_production(topology_m2, mod_type=None):
assert mod_type is not None
ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % PRODUCTION_DN
ACI_ALLOW = "(version 3.0; acl \"write production entries\"; allow (write)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
suffix.set('aci', ACI_BODY, mod_type)
def moddn_setup(topology_m2):
"""Creates
- a staging DIT
- a production DIT
- add accounts in staging DIT
- enable ACL logging (commented for performance reason)
"""
m1 = topology_m2.ms["supplier1"]
o_roles = OrganizationalRoles(m1, SUFFIX)
m1.log.info("\n\n######## INITIALIZATION ########\n")
# entry used to bind with
m1.log.info("Add {}".format(BIND_DN))
user = UserAccount(m1, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)
# Add anonymous read aci
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(m1, SUFFIX)
suffix.add('aci', ACI_BODY)
# DIT for staging
m1.log.info("Add {}".format(STAGING_DN))
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
# DIT for production
m1.log.info("Add {}".format(PRODUCTION_DN))
o_roles.create(properties={'cn': PRODUCTION_CN, 'description': "production DIT"})
# DIT for production/except
m1.log.info("Add {}".format(PROD_EXCEPT_DN))
o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN)
o_roles_prod.create(properties={'cn': EXCEPT_CN, 'description': "production except DIT"})
# enable acl error logging
# mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
# m1.modify_s(DN_CONFIG, mod)
# topology_m2.ms["supplier2"].modify_s(DN_CONFIG, mod)
# add dummy entries in the staging DIT
staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN))
user_props = TEST_USER_PROPERTIES.copy()
for cpt in range(MAX_ACCOUNTS):
name = "{}{}".format(NEW_ACCOUNT, cpt)
user_props.update({'sn': name, 'cn': name, 'uid': name})
staging_users.create(properties=user_props)
def new_suffixes(topo):
"""Create new suffix, backend and mapping tree"""
for num in range(1, 4):
backends = Backends(topo.ins["standalone{}".format(num)])
backends.create(properties={
BACKEND_SUFFIX: NEW_SUFFIX,
BACKEND_NAME: NEW_BACKEND
})
domain = Domain(topo.ins["standalone{}".format(num)], NEW_SUFFIX)
domain.create(properties={'dc': 'test', 'description': NEW_SUFFIX})
def _moddn_aci_from_production_to_staging(topology_m2, mod_type=None):
assert mod_type is not None
ACI_TARGET = "(target_from = \"ldap:///%s\") (target_to = \"ldap:///%s\")" % (
PRODUCTION_DN, STAGING_DN)
ACI_ALLOW = "(version 3.0; acl \"MODDN from production to staging\"; allow (moddn)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
suffix.set('aci', ACI_BODY, mod_type)
_write_aci_production(topology_m2, mod_type=mod_type)
def assert_data_present(inst):
# Do we have the backend marker?
d = Domain(inst, DEFAULT_SUFFIX)
try:
desc = d.get_attr_val_utf8('description')
if desc == TEST_MARKER:
return
except:
# Just reset everything.
pass
# Reset the backends
bes = Backends(inst)
try:
be = bes.get(DEFAULT_SUFFIX)
be.delete()
except:
pass
be = bes.create(properties={
'nsslapd-suffix': DEFAULT_SUFFIX,
'cn': 'userRoot',
})
be.create_sample_entries('001004002')
# Load our data
# We can't use dbgen as that relies on local access :(
# Add 40,000 groups
groups = Groups(inst, DEFAULT_SUFFIX)
for i in range(1, GROUP_MAX):
rdn = 'group_{0:07d}'.format(i)
groups.create(properties={
'cn': rdn,
})
# Add 60,000 users
users = nsUserAccounts(inst, DEFAULT_SUFFIX)
for i in range(1, USER_MAX):
rdn = 'user_{0:07d}'.format(i)
users.create(
properties={
'uid': rdn,
'cn': rdn,
'displayName': rdn,
'uidNumber': '%s' % i,
'gidNumber': '%s' % i,
'homeDirectory': '/home/%s' % rdn,
'userPassword': rdn,
})
# Add the marker
d.replace('description', TEST_MARKER)
def test_mapping_tree_flipped_components(topology):
inst = topology.standalone
# First create two Backends, without mapping trees.
be1 = create_backend(inst, 'userRootA', 'dc=example,dc=com')
be2 = create_backend(inst, 'userRootB', 'dc=com,dc=example')
# Okay, now we create the mapping trees for these backends, and we *invert* them in the parent config setting
mts = MappingTrees(inst)
mtb = mts.create(
properties={
'cn': 'dc=example,dc=com',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootA',
})
mta = mts.create(
properties={
'cn': 'dc=com,dc=example',
'nsslapd-state': 'backend',
'nsslapd-backend': 'userRootB',
})
dc_ex = Domain(inst, dn='dc=example,dc=com')
assert dc_ex.exists()
dc_ab = Domain(inst, dn='dc=com,dc=example')
assert dc_ab.exists()
# Restart and check again
inst.restart()
assert dc_ex.exists()
assert dc_ab.exists()
def add_anon_aci_access(topo, request):
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
def fin():
suffix.delete()
request.addfinalizer(fin)
def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
"""
User cannot access the data at all as per the ACI.
:id: 75cdac5e-7ac5-11e8-968a-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = "$NEW_DATE" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
"""
User can access the data one day per week as per the ACI.
:id: 7131dc88-7ac5-11e8-acc2-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
today_1 = time.strftime("%c").split()[0]
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = \'{today_1}\' ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user):
"""
User can access the data EVERYDAY_KEY as per the ACI.
:id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user):
"""
User can access the data only in the afternoon as per the ACI.
:id: 63eb5b1c-7ac5-11e8-bd46-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
f'and timeofday > \'1200\' ;)')
# create a new connection for the test
conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
if datetime.now().hour < 12:
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
else:
org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
"""
User can access the data at any time as per the ACI.
:id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
f'(timeofday >= "0000" and timeofday <= "2359") ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2(
topo, add_user, aci_of_user):
"""User cannot access the data when connecting from an unauthorized network as per the ACI.
:id: 396bdd44-7ac5-11e8-8014-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dnsalias != "www.redhat.com" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(
topo, test_uer, aci_of_user):
"""Search Test 25 Deny search access to userdn with LDAP URL matching all users
:id: b37f72ae-6e12-11e8-9c98-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format(
DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all users LDAP URL matching all users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block all users LDAP URL matching all users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
"""Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
:id: 41b467be-7ac5-11e8-89a3-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" and '
f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DNS_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_any_machine(
topo, add_user, aci_of_user):
"""User can access the data when connecting from any machine as per the ACI.
:id: 28cbc008-7ac5-11e8-934e-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_some_network_only(
topo, add_user, aci_of_user):
"""User can access the data when connecting from some network only as per the ACI.
:id: 3098512a-7ac5-11e8-af85-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
dns_name = socket.getfqdn()
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dns = "{dns_name}" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer,
aci_of_user):
"""Search Test 23 Deny search access to userdn with LDAP URL
:id: 94f082d8-6e12-11e8-be72-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = ('userdn="ldap:///%s";)' %
"{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX))
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445')
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all users having roomnumber=3445
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')
def test_user_cannot_access_the_data_if_not_from_a_certain_domain(
topo, add_user, aci_of_user):
"""User cannot access the data if not from a certain domain as per the ACI.
:id: 3d658972-7ac5-11e8-930f-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" '
f'and dns = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
"""
User NoIP cannot assess the data as per the ACI.
:id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user,
ip_addr):
"""User can modify the data when accessing the server from the allowed IPv4 and IPv6 addresses
:id: 461e761e-7ac5-11e8-9ae4-8c16451d917b
:customerscenario: True
:parametrized: yes
:setup: Standalone Server
:steps:
1. Add ACI that has both IPv4 and IPv6
2. Connect from one of the IPs allowed in ACI
3. Modify an attribute
:expectedresults:
1. ACI should be added
2. Conection should be successful
3. Operation should be successful
"""
# Add ACI that contains both IPv4 and IPv6
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr="*") '
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLIP_KEY).bind(
PW_DM, uri=f'ldap://{ip_addr}:{topo.standalone.port}')
# Perform Operation
OrganizationalUnit(conn, IP_OU_KEY).replace("seeAlso", "cn=1")
def create_base_domain(instance, basedn):
"""Create the base domain object"""
domain = Domain(instance, dn=basedn)
# Explode the dn to get the first bit.
avas = dn.str2dn(basedn)
dc_ava = avas[0][0][1]
domain.create(properties={
# I think in python 2 this forces unicode return ...
'dc': dc_ava,
'description': basedn,
})
# ACI can be added later according to your needs
return domain
