def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
domain.remove_all('aci')
domain.replace_values('aci', preserved_acis)
except:
pass
def finofaci():
"""
Removes and Restores ACIs after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
for i in aci_list:
domain.add("aci", i)
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
And restore nsslapd-ignore-virtual-attrs to default
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_info_disclosure(request, topo):
"""Test that a search returns 32 when base entry does not exist
:id: f6dec4c2-65a3-41e4-a4c0-146196863333
:setup: Standalone Instance
:steps:
1. Add aci
2. Add test user
3. Bind as user and search for non-existent entry
:expectedresults:
1. Success
2. Success
3. Error 32 is returned
"""
ACI_TARGET = "(targetattr = \"*\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Read/Search permission for all users\"; allow (read,search)"
ACI_SUBJECT = "(userdn=\"ldap:///all\");)"
ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
# Get current ACi's so we can restore them when we are done
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
preserved_acis = suffix.get_attr_vals_utf8('aci')
def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
domain.remove_all('aci')
domain.replace_values('aci', preserved_acis)
except:
pass
request.addfinalizer(finofaci)
# Remove aci's
suffix.remove_all('aci')
# Add test user
USER_DN = "uid=test,ou=people," + DEFAULT_SUFFIX
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
users.create(
properties={
'uid': 'test',
'cn': 'test',
'sn': 'test',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/test',
'userPassword': PW_DM
})
# bind as user
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
# Search fo existing base DN
test = Domain(conn, DEFAULT_SUFFIX)
try:
test.get_attr_vals_utf8_l('dc')
assert False
except IndexError:
pass
# Search for a non existent bases
subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX)
try:
subtree.get_attr_vals_utf8_l('objectclass')
except IndexError:
pass
subtree = Domain(
conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX)
try:
subtree.get_attr_vals_utf8_l('objectclass')
except IndexError:
pass
# Try ONE level search instead of BASE
try:
Accounts(conn, "ou=does_not_exist," + DEFAULT_SUFFIX).filter(
"(objectclass=top)", scope=ldap.SCOPE_ONELEVEL)
except IndexError:
pass
# add aci
suffix.add('aci', ACI)
# Search for a non existent entry which should raise an exception
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX)
subtree.get_attr_vals_utf8_l('objectclass')
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
subtree = Domain(
conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX)
subtree.get_attr_vals_utf8_l('objectclass')
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
DN = "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX
Accounts(conn, DN).filter("(objectclass=top)",
scope=ldap.SCOPE_ONELEVEL,
strict=True)
