def test_deny_read_search_and_compare_access_with_target_and_targetattr_set( topo, test_uer, aci_of_user): """Search Test 4 Deny read, search and compare access with target and targetattr set :id: 3f4a87e4-6e11-11e8-a09f-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format( CONTAINER_2_DELADD) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)')) # with root there is no aci blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(ou=Accounting)'))
def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user): """ User can access the data only in the afternoon as per the ACI. :id: 63eb5b1c-7ac5-11e8-bd46-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Timeofday aci"; ' f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" ' f'and timeofday > \'1200\' ;)') # create a new connection for the test conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY) if datetime.now().hour < 12: with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1") else: org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user): """ User can access the data one day per week as per the ACI. :id: 7131dc88-7ac5-11e8-acc2-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ today_1 = time.strftime("%c").split()[0] # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{TODAY_KEY}" ' f'and dayofweek = \'{today_1}\' ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) org.replace("seeAlso", "cn=1")
def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users( topo, test_uer, aci_of_user): """Search Test 25 Deny search access to userdn with LDAP URL matching all users :id: b37f72ae-6e12-11e8-9c98-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)' ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all users LDAP URL matching all users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block all users LDAP URL matching all users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user): """ User NoIP cannot assess the data as per the ACI. :id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) ' f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, IP_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user): """Search Test 20 Deny all access with userdn :id: 75aada86-6e12-11e8-bd34-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///{}";)'.format(USER_ANANDA) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block anything for USER_ANANDA , it not block other users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block anything for USER_ANANDA , it not block other users assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root thers is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def aci_with_attr_subtype(request, topology_m2): """Adds and deletes an ACI in the DEFAULT_SUFFIX""" TARGET_ATTR = 'protectedOperation' USER_ATTR = 'allowedToPerform' SUBTYPE = request.param suffix = Domain(topology_m2.ms["supplier1"], DEFAULT_SUFFIX) log.info("========Executing test with '%s' subtype========" % SUBTYPE) log.info(" Add a target attribute") add_attr(topology_m2, TARGET_ATTR) log.info(" Add a user attribute") add_attr(topology_m2, USER_ATTR) ACI_TARGET = '(targetattr=%s;%s)' % (TARGET_ATTR, SUBTYPE) ACI_ALLOW = '(version 3.0; acl "test aci for subtypes"; allow (read) ' ACI_SUBJECT = 'userattr = "%s;%s#GROUPDN";)' % (USER_ATTR, SUBTYPE) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT log.info("Add an ACI with attribute subtype") suffix.add('aci', ACI_BODY) def fin(): log.info("Finally, delete an ACI with the '%s' subtype" % SUBTYPE) suffix.remove('aci', ACI_BODY) request.addfinalizer(fin) return ACI_BODY
def test_deny_group_member_all_rights_to_user(topo, aci_of_user, test_user): """ Try deleting user while no access :id: 0da68a4c-7840-11e8-98c2-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. delete test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; deny (all) groupdn = "ldap:///{}" ;)'.format(BIG_GLOBAL)) conn = UserAccount(topo.standalone, "uid=Ted Morris, ou=Accounting, {}".format(DEFAULT_SUFFIX)).bind(PW_DM) # group BIG_GLOBAL will have no access user = UserAccount(conn, DEEPUSER3_GLOBAL) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def test_deny_group_member_all_rights_to_group_members(topo, aci_of_user, test_user): """ Deny group member all rights :id: 2d4ff70c-7840-11e8-8472-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; deny (all) groupdn = "ldap:///{}" ;)'.format(BIG_GLOBAL)) UserAccounts(topo.standalone, DEFAULT_SUFFIX, "ou=AclGroup").create_test_user() conn = UserAccount(topo.standalone, "uid=Ted Morris, ou=Accounting, {}".format(DEFAULT_SUFFIX)).bind(PW_DM) # group BIG_GLOBAL no access user = UserAccount(conn, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com') with pytest.raises(IndexError): user.get_attr_val_utf8('uid') UserAccount(topo.standalone, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com').delete()
def _create_schema(request, topo): Schema(topo.standalone).\ add('attributetypes', ["( NAME 'testUserAccountControl' DESC 'Attribute Bitwise filteri-Multi-Valued'" "SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )", "( NAME 'testUserStatus' DESC 'State of User account active/disabled'" "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )"]) Schema(topo.standalone).\ add('objectClasses', "( NAME 'testperson' SUP top STRUCTURAL MUST " "( sn $ cn $ testUserAccountControl $ " "testUserStatus )MAY( userPassword $ telephoneNumber $ " "seeAlso $ description ) X-ORIGIN 'BitWise' )") # Creating Backend backends = Backends(topo.standalone) backend = backends.create(properties={ 'nsslapd-suffix': SUFFIX, 'cn': 'AnujRoot' }) # Creating suffix suffix = Domain(topo.standalone, SUFFIX).create(properties={'dc': 'anuj'}) # Creating users users = UserAccounts(topo.standalone, suffix.dn, rdn=None) for user in [('btestuser1', ['514'], ['Disabled'], 100), ('btestuser2', ['65536'], ['PasswordNeverExpired'], 101), ('btestuser3', ['8388608'], ['PasswordExpired'], 102), ('btestuser4', ['256'], ['TempDuplicateAccount'], 103), ('btestuser5', ['16777216'], ['TrustedAuthDelegation'], 104), ('btestuser6', ['528'], ['AccountLocked'], 105), ('btestuser7', ['513'], ['AccountActive'], 106), ('btestuser11', ['655236'], ['TestStatus1'], 107), ('btestuser12', ['665522'], ['TestStatus2'], 108), ('btestuser13', ['266552'], ['TestStatus3'], 109), ('btestuser8', ['98536', '99512', '99528'], ['AccountActive', 'PasswordExxpired', 'AccountLocked'], 110), ('btestuser9', [ '87536', '912', ], [ 'AccountActive', 'PasswordNeverExpired', ], 111), ('btestuser10', ['89536', '97546', '96579'], ['TestVerify1', 'TestVerify2', 'TestVerify3'], 112)]: CreateUsers(users, user[0], user[1], user[2], user[3]).user_create() def fin(): """ Deletes entries after the test. """ for user in users.list(): user.delete() suffix.delete() backend.delete() request.addfinalizer(fin)
def test_caching_changes(topo, aci_of_user, test_user): """ Add user and then test deny :id: 26ed2dc2-783f-11e8-b1a5-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="roomnumber")(version 3.0; acl "ACLGroup"; deny ( read, search ) userdn = "ldap:///all" ;)') user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, "ou=AclGroup").create_test_user() user.set('roomnumber', '3445') conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) # targetattr="roomnumber" will be denied access user = UserAccount(conn, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com') with pytest.raises(AssertionError): assert user.get_attr_val_utf8('roomNumber') UserAccount(topo.standalone, 'uid=test_user_1000,ou=ACLGroup,dc=example,dc=com').delete()
def test_deny_all_access_with_target_set(topo, test_uer, aci_of_user): """Test that Deny all access with target set :id: 0550e680-6e0e-11e8-82f4-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(USER_ANANDA) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block all for all usrs assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)')) # with root there is no aci blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))
def test_deny_all_access_with__target_set(topo, test_uer, aci_of_user, request): """Search Test 8 Deny all access with != target set :id: bc00aed0-6e11-11e8-be66-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ Domain(topo.standalone, DEFAULT_SUFFIX).add( "aci", '(target != "ldap:///{}")(targetattr = "*")' '(version 3.0; acl "{}"; deny absolute (all) (userdn = "ldap:///anyone") ;)' .format(USER_ANANDA, request.node.name)) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will not block USER_ANANDA will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will not block USER_ANANDA will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 4 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_deny_all_access_to_userdnattr(topo, test_uer, aci_of_user): """Search Test 7 Deny all access to userdnattr" :id: ae482494-6e11-11e8-ae33-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ UserAccount(topo.standalone, USER_ANUJ).add('manager', USER_ANANDA) ACI_TARGET = '(target = ldap:///{})(targetattr="*")'.format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdnattr="manager";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block only 'userdnattr="manager" assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block only 'userdnattr="manager" assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)')) # with root there is no aci blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)')) UserAccount(topo.standalone, USER_ANUJ).remove('manager', USER_ANANDA)
def test_deny_all_access_with_targetfilter_using_equality_search( topo, test_uer, aci_of_user): """Search Test 14 Deny all access with targetfilter using equality search :id: 27255e04-6e12-11e8-8e35-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block the search to cn=Jeff assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block the search to cn=Jeff assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)')) # with root there is no blockage assert 1 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))
def test_deeply_nested_groups_aci_allow(topo, test_user, aci_of_user): """ Test deeply nested groups (3) This aci will allow search and modify :id: 8d338210-7840-11e8-8584-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ['(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL), '(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(GROUPE_GLOBAL)]) conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) # test deeply nested groups user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL) user.add("sn", "Fred") user.remove("sn", "Fred")
def test_deny_all_access_with_targetfilter_using_substring_search_two( topo, test_uer, aci_of_user): """Test that Search Test 17 Deny all access with targetfilter using != substring search :id: 55b12d98-6e12-11e8-8cf4-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci allow anything cn=j*, it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci allow anything cn=j*, it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) # with root there is no blockage assert 2 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
def test_deeply_nested_groups_aci_allow_two(topo, test_user, aci_of_user): """ This aci will not allow search or modify to a user too deep to be detected. :id: 8d3459c4-7840-11e8-8ed8-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL)) conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) # This aci should not allow search or modify to a user too deep to be detected. user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.add("sn", "Fred") assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer, aci_of_user): """Search Test 11 Deny all access with != target set on non-leaf :id: f1c5d72a-6e11-11e8-aa9d-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target != ldap:///{})(targetattr=*)".format( CONTAINER_2_DELADD) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # After binding with USER_ANANDA , aci will limit the search to itself assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # After binding with USER_ANUJ , aci will limit the search to itself assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # After binding with root , the actual number of users will be given assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_undefined_in_group_eval_two(topo, test_user, aci_of_user): """ This aci will allow access :id: fcfbcce2-7840-11e8-ba77-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL)) conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL) # This aci should allow access user.add("sn", "Fred") assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry' user.remove("sn", "Fred")
def create_user(topology_st): """User for binding operation""" users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) users.create( properties={ 'cn': TEST_USER_NAME, 'sn': TEST_USER_NAME, 'userpassword': TEST_USER_PWD, 'mail': '*****@*****.**' % TEST_USER_NAME, 'uid': TEST_USER_NAME, 'uidNumber': '1000', 'gidNumber': '1000', 'homeDirectory': '/home/test' }) # Add anonymous access aci ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass
def test_undefined_in_group_eval_four(topo, test_user, aci_of_user): """ This aci will not allow access :id: 0b03d10e-7841-11e8-9341-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL)) conn = UserAccount(topo.standalone, DEEPUSER1_GLOBAL).bind(PW_DM) # test UNDEFINED in group user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.add("sn", "Fred") assert user.get_attr_val_utf8('uid') == 'scratchEntry'
def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user): """Search Test 23 Deny search access to userdn with LDAP URL :id: 94f082d8-6e12-11e8-be72-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)' ACI_SUBJECT = ('userdn="ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445') conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all users having roomnumber=3445 assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')
def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user): """ bug 334451 : more then 40 acl will crash slapd superseded by Bug 772778 - acl cache overflown problem with > 200 acis :id:93a44c60-7db8-11e8-9439-8c16451d917b :setup: Standalone Instance :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting') user = uas.create_test_user() aci_target = '(target ="ldap:///{}")(targetattr !="userPassword")'.format(CONTAINER_1_DELADD) # more_then_40_acl_will not crash_slapd for i in range(40): aci_allow = '(version 3.0;acl "ACI_{}";allow (read, search, compare)'.format(i) aci_subject = 'userdn="ldap:///anyone";)' aci_body = aci_target + aci_allow + aci_subject Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_body) conn = Anonymous(topo.standalone).bind() assert UserAccount(conn, user.dn).get_attr_val_utf8('uid') == 'test_user_1000' for i in uas.list(): i.delete()
def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user): """ User can access the data at any time as per the ACI. :id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Timeofday aci"; ' f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and ' f'(timeofday >= "0000" and timeofday <= "2359") ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY) org.replace("seeAlso", "cn=1")
def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user): """ Misc Test 2 accept aci in addition to acl :id:8e9408fa-7db8-11e8-adaa-8c16451d917b :setup: Standalone Instance :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=product development') user = uas.create_test_user() for i in [('mail', '*****@*****.**'), ('givenname', 'Anuj'), ('userPassword', PW_DM)]: user.set(i[0], i[1]) aci_target = "(targetattr=givenname)" aci_allow = ('(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)') aci_subject = 'userdn="ldap:///anyone";)' Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject) conn = Anonymous(topo.standalone).bind() # aci will block targetattr=givenname to anyone user = UserAccount(conn, user.dn) with pytest.raises(AssertionError): assert user.get_attr_val_utf8('givenname') == 'Anuj' # aci will allow targetattr=uid to anyone assert user.get_attr_val_utf8('uid') == 'test_user_1000' for i in uas.list(): i.delete()
def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user): """ User can access the data EVERYDAY_KEY as per the ACI. :id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and ' f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) org.replace("seeAlso", "cn=1")
def test_deny_all_access_with__target_set_on_wildcard_leaf( topo, test_uer, aci_of_user): """Search Test 13 Deny all access with != target set on wildcard leaf :id: 16c54d76-6e12-11e8-b5ba-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=*)".format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will limit the search to cn=Jeff it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will limit the search to cn=Jeff it will block others assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user): """ User cannot access the data at all as per the ACI. :id: 75cdac5e-7ac5-11e8-968a-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{TODAY_KEY}" ' f'and dayofweek = "$NEW_DATE" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user): """ Test to Allow delete access to != userdn :id: 00637f6e-68e3-11e8-92a3-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI that allows userdn not to delete some userdn 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should not succeed 4. Delete operation for ACI should succeed """ # set aci aci_target = f'(targetattr="*")' aci_allow = f'(version 3.0; acl "All rights for %s"; allow (delete) ' % USER_DELADD aci_subject = f'userdn!="ldap:///{USER_WITH_ACI_DELADD}";)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject)) # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Perform delete operation user = UserAccount(conn, USER_DELADD) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()