def test_deny_read_search_and_compare_access_with_target_and_targetattr_set(
topo, test_uer, aci_of_user):
"""Search Test 4 Deny read, search and compare access with target and targetattr set
:id: 3f4a87e4-6e11-11e8-a09f-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(
CONTAINER_2_DELADD)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
# with root there is no aci blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user):
"""
User can access the data only in the afternoon as per the ACI.
:id: 63eb5b1c-7ac5-11e8-bd46-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
f'and timeofday > \'1200\' ;)')
# create a new connection for the test
conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
if datetime.now().hour < 12:
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
else:
org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
"""
User can access the data one day per week as per the ACI.
:id: 7131dc88-7ac5-11e8-acc2-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
today_1 = time.strftime("%c").split()[0]
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = \'{today_1}\' ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(
topo, test_uer, aci_of_user):
"""Search Test 25 Deny search access to userdn with LDAP URL matching all users
:id: b37f72ae-6e12-11e8-9c98-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format(
DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all users LDAP URL matching all users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block all users LDAP URL matching all users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
"""
User NoIP cannot assess the data as per the ACI.
:id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):
"""Search Test 20 Deny all access with userdn
:id: 75aada86-6e12-11e8-bd34-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///{}";)'.format(USER_ANANDA)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block anything for USER_ANANDA , it not block other users
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block anything for USER_ANANDA , it not block other users
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root thers is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def aci_with_attr_subtype(request, topology_m2):
"""Adds and deletes an ACI in the DEFAULT_SUFFIX"""
TARGET_ATTR = 'protectedOperation'
USER_ATTR = 'allowedToPerform'
SUBTYPE = request.param
suffix = Domain(topology_m2.ms["supplier1"], DEFAULT_SUFFIX)
log.info("========Executing test with '%s' subtype========" % SUBTYPE)
log.info(" Add a target attribute")
add_attr(topology_m2, TARGET_ATTR)
log.info(" Add a user attribute")
add_attr(topology_m2, USER_ATTR)
ACI_TARGET = '(targetattr=%s;%s)' % (TARGET_ATTR, SUBTYPE)
ACI_ALLOW = '(version 3.0; acl "test aci for subtypes"; allow (read) '
ACI_SUBJECT = 'userattr = "%s;%s#GROUPDN";)' % (USER_ATTR, SUBTYPE)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
log.info("Add an ACI with attribute subtype")
suffix.add('aci', ACI_BODY)
def fin():
log.info("Finally, delete an ACI with the '%s' subtype" %
SUBTYPE)
suffix.remove('aci', ACI_BODY)
request.addfinalizer(fin)
return ACI_BODY
def test_deny_group_member_all_rights_to_user(topo, aci_of_user, test_user):
"""
Try deleting user while no access
:id: 0da68a4c-7840-11e8-98c2-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. delete test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; deny (all) groupdn = "ldap:///{}" ;)'.format(BIG_GLOBAL))
conn = UserAccount(topo.standalone, "uid=Ted Morris, ou=Accounting, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# group BIG_GLOBAL will have no access
user = UserAccount(conn, DEEPUSER3_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def test_deny_group_member_all_rights_to_group_members(topo, aci_of_user, test_user):
"""
Deny group member all rights
:id: 2d4ff70c-7840-11e8-8472-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; deny (all) groupdn = "ldap:///{}" ;)'.format(BIG_GLOBAL))
UserAccounts(topo.standalone, DEFAULT_SUFFIX, "ou=AclGroup").create_test_user()
conn = UserAccount(topo.standalone, "uid=Ted Morris, ou=Accounting, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# group BIG_GLOBAL no access
user = UserAccount(conn, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com')
with pytest.raises(IndexError):
user.get_attr_val_utf8('uid')
UserAccount(topo.standalone, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com').delete()
def _create_schema(request, topo):
Schema(topo.standalone).\
add('attributetypes',
["( NAME 'testUserAccountControl' DESC 'Attribute Bitwise filteri-Multi-Valued'"
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )",
"( NAME 'testUserStatus' DESC 'State of User account active/disabled'"
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )"])
Schema(topo.standalone).\
add('objectClasses', "( NAME 'testperson' SUP top STRUCTURAL MUST "
"( sn $ cn $ testUserAccountControl $ "
"testUserStatus )MAY( userPassword $ telephoneNumber $ "
"seeAlso $ description ) X-ORIGIN 'BitWise' )")
# Creating Backend
backends = Backends(topo.standalone)
backend = backends.create(properties={
'nsslapd-suffix': SUFFIX,
'cn': 'AnujRoot'
})
# Creating suffix
suffix = Domain(topo.standalone, SUFFIX).create(properties={'dc': 'anuj'})
# Creating users
users = UserAccounts(topo.standalone, suffix.dn, rdn=None)
for user in [('btestuser1', ['514'], ['Disabled'], 100),
('btestuser2', ['65536'], ['PasswordNeverExpired'], 101),
('btestuser3', ['8388608'], ['PasswordExpired'], 102),
('btestuser4', ['256'], ['TempDuplicateAccount'], 103),
('btestuser5', ['16777216'], ['TrustedAuthDelegation'], 104),
('btestuser6', ['528'], ['AccountLocked'], 105),
('btestuser7', ['513'], ['AccountActive'], 106),
('btestuser11', ['655236'], ['TestStatus1'], 107),
('btestuser12', ['665522'], ['TestStatus2'], 108),
('btestuser13', ['266552'], ['TestStatus3'], 109),
('btestuser8', ['98536', '99512', '99528'],
['AccountActive', 'PasswordExxpired', 'AccountLocked'], 110),
('btestuser9', [
'87536',
'912',
], [
'AccountActive',
'PasswordNeverExpired',
], 111),
('btestuser10', ['89536', '97546', '96579'],
['TestVerify1', 'TestVerify2', 'TestVerify3'], 112)]:
CreateUsers(users, user[0], user[1], user[2], user[3]).user_create()
def fin():
"""
Deletes entries after the test.
"""
for user in users.list():
user.delete()
suffix.delete()
backend.delete()
request.addfinalizer(fin)
def test_caching_changes(topo, aci_of_user, test_user):
"""
Add user and then test deny
:id: 26ed2dc2-783f-11e8-b1a5-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="roomnumber")(version 3.0; acl "ACLGroup"; deny ( read, search ) userdn = "ldap:///all" ;)')
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, "ou=AclGroup").create_test_user()
user.set('roomnumber', '3445')
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# targetattr="roomnumber" will be denied access
user = UserAccount(conn, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com')
with pytest.raises(AssertionError):
assert user.get_attr_val_utf8('roomNumber')
UserAccount(topo.standalone, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com').delete()
def test_deny_all_access_with_target_set(topo, test_uer, aci_of_user):
"""Test that Deny all access with target set
:id: 0550e680-6e0e-11e8-82f4-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(USER_ANANDA)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block all for all usrs
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
# with root there is no aci blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
def test_deny_all_access_with__target_set(topo, test_uer, aci_of_user,
request):
"""Search Test 8 Deny all access with != target set
:id: bc00aed0-6e11-11e8-be66-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci", '(target != "ldap:///{}")(targetattr = "*")'
'(version 3.0; acl "{}"; deny absolute (all) (userdn = "ldap:///anyone") ;)'
.format(USER_ANANDA, request.node.name))
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will not block USER_ANANDA will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will not block USER_ANANDA will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_to_userdnattr(topo, test_uer, aci_of_user):
"""Search Test 7 Deny all access to userdnattr"
:id: ae482494-6e11-11e8-ae33-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
UserAccount(topo.standalone, USER_ANUJ).add('manager', USER_ANANDA)
ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdnattr="manager";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block only 'userdnattr="manager"
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block only 'userdnattr="manager"
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))
# with root there is no aci blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))
UserAccount(topo.standalone, USER_ANUJ).remove('manager', USER_ANANDA)
def test_deny_all_access_with_targetfilter_using_equality_search(
topo, test_uer, aci_of_user):
"""Search Test 14 Deny all access with targetfilter using equality search
:id: 27255e04-6e12-11e8-8e35-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block the search to cn=Jeff
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block the search to cn=Jeff
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
# with root there is no blockage
assert 1 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
def test_deeply_nested_groups_aci_allow(topo, test_user, aci_of_user):
"""
Test deeply nested groups (3)
This aci will allow search and modify
:id: 8d338210-7840-11e8-8584-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ['(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL), '(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(GROUPE_GLOBAL)])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# test deeply nested groups
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("sn", "Fred")
user.remove("sn", "Fred")
def test_deny_all_access_with_targetfilter_using_substring_search_two(
topo, test_uer, aci_of_user):
"""Test that Search Test 17 Deny all access with targetfilter using != substring search
:id: 55b12d98-6e12-11e8-8cf4-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci allow anything cn=j*, it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci allow anything cn=j*, it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
# with root there is no blockage
assert 2 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
def test_deeply_nested_groups_aci_allow_two(topo, test_user, aci_of_user):
"""
This aci will not allow search or modify to a user too deep to be detected.
:id: 8d3459c4-7840-11e8-8ed8-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# This aci should not allow search or modify to a user too deep to be detected.
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("sn", "Fred")
assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer,
aci_of_user):
"""Search Test 11 Deny all access with != target set on non-leaf
:id: f1c5d72a-6e11-11e8-aa9d-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///{})(targetattr=*)".format(
CONTAINER_2_DELADD)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# After binding with USER_ANANDA , aci will limit the search to itself
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# After binding with USER_ANUJ , aci will limit the search to itself
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# After binding with root , the actual number of users will be given
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_undefined_in_group_eval_two(topo, test_user, aci_of_user):
"""
This aci will allow access
:id: fcfbcce2-7840-11e8-ba77-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
# This aci should allow access
user.add("sn", "Fred")
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry'
user.remove("sn", "Fred")
def create_user(topology_st):
"""User for binding operation"""
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
users.create(
properties={
'cn': TEST_USER_NAME,
'sn': TEST_USER_NAME,
'userpassword': TEST_USER_PWD,
'mail': '*****@*****.**' % TEST_USER_NAME,
'uid': TEST_USER_NAME,
'uidNumber': '1000',
'gidNumber': '1000',
'homeDirectory': '/home/test'
})
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
def test_undefined_in_group_eval_four(topo, test_user, aci_of_user):
"""
This aci will not allow access
:id: 0b03d10e-7841-11e8-9341-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER1_GLOBAL).bind(PW_DM)
# test UNDEFINED in group
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("sn", "Fred")
assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer,
aci_of_user):
"""Search Test 23 Deny search access to userdn with LDAP URL
:id: 94f082d8-6e12-11e8-be72-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'
ACI_SUBJECT = ('userdn="ldap:///%s";)' %
"{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX))
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445')
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all users having roomnumber=3445
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')
def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user):
"""
bug 334451 : more then 40 acl will crash slapd
superseded by Bug 772778 - acl cache overflown problem with > 200 acis
:id:93a44c60-7db8-11e8-9439-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
user = uas.create_test_user()
aci_target = '(target ="ldap:///{}")(targetattr !="userPassword")'.format(CONTAINER_1_DELADD)
# more_then_40_acl_will not crash_slapd
for i in range(40):
aci_allow = '(version 3.0;acl "ACI_{}";allow (read, search, compare)'.format(i)
aci_subject = 'userdn="ldap:///anyone";)'
aci_body = aci_target + aci_allow + aci_subject
Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_body)
conn = Anonymous(topo.standalone).bind()
assert UserAccount(conn, user.dn).get_attr_val_utf8('uid') == 'test_user_1000'
for i in uas.list():
i.delete()
def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
"""
User can access the data at any time as per the ACI.
:id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
f'(timeofday >= "0000" and timeofday <= "2359") ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
"""
Misc Test 2 accept aci in addition to acl
:id:8e9408fa-7db8-11e8-adaa-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=product development')
user = uas.create_test_user()
for i in [('mail', '*****@*****.**'), ('givenname', 'Anuj'), ('userPassword', PW_DM)]:
user.set(i[0], i[1])
aci_target = "(targetattr=givenname)"
aci_allow = ('(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)')
aci_subject = 'userdn="ldap:///anyone";)'
Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject)
conn = Anonymous(topo.standalone).bind()
# aci will block targetattr=givenname to anyone
user = UserAccount(conn, user.dn)
with pytest.raises(AssertionError):
assert user.get_attr_val_utf8('givenname') == 'Anuj'
# aci will allow targetattr=uid to anyone
assert user.get_attr_val_utf8('uid') == 'test_user_1000'
for i in uas.list():
i.delete()
def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user):
"""
User can access the data EVERYDAY_KEY as per the ACI.
:id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_deny_all_access_with__target_set_on_wildcard_leaf(
topo, test_uer, aci_of_user):
"""Search Test 13 Deny all access with != target set on wildcard leaf
:id: 16c54d76-6e12-11e8-b5ba-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=*)".format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will limit the search to cn=Jeff it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will limit the search to cn=Jeff it will block others
assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
"""
User cannot access the data at all as per the ACI.
:id: 75cdac5e-7ac5-11e8-968a-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = "$NEW_DATE" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user):
"""
Test to Allow delete access to != userdn
:id: 00637f6e-68e3-11e8-92a3-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI that allows userdn not to delete some userdn
3. Delete something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should not succeed
4. Delete operation for ACI should succeed
"""
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for %s"; allow (delete) ' % USER_DELADD
aci_subject = f'userdn!="ldap:///{USER_WITH_ACI_DELADD}";)'
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Perform delete operation
user = UserAccount(conn, USER_DELADD)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
