def test_nestedrole(topo, _final):
"""
:id: d52a9cw0-3bg6-11e9-9b7b-8c16451d917t
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
managed_role1 = managed_roles.create(properties={"cn": 'managed_role1'})
managed_role2 = managed_roles.create(properties={"cn": 'managed_role2'})
# Create nested role entry
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_role = nested_roles.create(
properties={
"cn": 'nested_role',
"nsRoleDN": [managed_role1.dn, managed_role2.dn]
})
# Create user and assign managed role to it
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user1 = users.create_test_user(uid=1, gid=1)
user1.set('nsRoleDN', managed_role1.dn)
user1.set('userPassword', PW_DM)
# Create another user and assign managed role to it
user2 = users.create_test_user(uid=2, gid=2)
user2.set('nsRoleDN', managed_role2.dn)
user2.set('userPassword', PW_DM)
# Create another user and do not assign any role to it
user3 = users.create_test_user(uid=3, gid=3)
user3.set('userPassword', PW_DM)
# Create a ACI with deny access to nested role entry
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', f'(targetattr=*)(version 3.0; aci '
f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)')
# Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1
# and search while bound as the user
conn = users.get('test_user_1').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_2,ou=People,dc=example,dc=com' member of managed_role2
# and search while bound as the user
conn = users.get('test_user_2').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_3,ou=People,dc=example,dc=com' and
# search while bound as the user
conn = users.get('test_user_3').bind(PW_DM)
assert UserAccounts(conn, DEFAULT_SUFFIX).list()
def test_vattr_on_managed_role_replication(topo, request):
"""Test nsslapd-ignore-virtual-attrs configuration attribute
The attribute is ON by default. If a managed role is
added it is moved to OFF in replcation scenario
:id: 446f2fc3-bbb2-4835-b14a-cb855db78c6f
:customerscenario: True
:setup: Supplier Consumer
:steps:
1. Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config over consumer
2. Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON over consumer
3. Create a managed role in supplier
4. Check the value of nsslapd-ignore-virtual-attrs should be OFF over consumer
5. Check a message "roles_cache_trigger_update_role - Because of virtual attribute.." in error logs of consumer
6. Check after deleting role definition value of attribute nsslapd-ignore-virtual-attrs is set back to ON over consumer
:expectedresults:
1. This should be successful
2. This should be successful
3. This should be successful
4. This should be successful
5. This should be successful
6. This should be successful
"""
s = topo.ms['supplier1']
c = topo.cs['consumer1']
log.info(
"Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config"
)
assert c.config.present('nsslapd-ignore-virtual-attrs')
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON"
)
assert c.config.get_attr_val_utf8('nsslapd-ignore-virtual-attrs') == "on"
log.info("Create a managed role")
roles = ManagedRoles(s, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be OFF"
)
time.sleep(5)
assert c.config.present('nsslapd-ignore-virtual-attrs', 'off')
c.stop()
assert c.searchErrorsLog(
"roles_cache_trigger_update_role - Because of virtual attribute definition \(role\), nsslapd-ignore-virtual-attrs was set to \'off\'"
)
def fin():
s.restart()
c.restart()
try:
filtered_roles = ManagedRoles(s, DEFAULT_SUFFIX)
for i in filtered_roles.list():
i.delete()
except:
pass
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON"
)
s.restart()
c.restart()
assert c.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
request.addfinalizer(fin)
def _add_user(request, topo):
"""
A Function that will create necessary users delete the created user
"""
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou_ou = ous.create(properties={'ou': 'roledntest'})
ou_ou.set('aci', [
f'(target="ldap:///{NESTED_ROLE_TESTER}")(targetattr="*") '
f'(version 3.0; aci "nested role aci"; allow(all)'
f'roledn = "ldap:///{ROLE2}";)',
f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
f'(version 3.0; aci "or role aci"; allow(all) '
f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "anyone role aci"; allow(all) '
f'roledn = "ldap:///anyone";)',
f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
f'(version 3.0; aci "not role aci"; allow(all)'
f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'
])
nestedroles = NestedRoles(topo.standalone, OU_ROLE)
for i in [('role2', [ROLE1, ROLE21]), ('role3', [ROLE2, ROLE31])]:
nestedroles.create(properties={'cn': i[0], 'nsRoleDN': i[1]})
managedroles = ManagedRoles(topo.standalone, OU_ROLE)
for i in ['ROLE1', 'ROLE21', 'ROLE31']:
managedroles.create(properties={'cn': i})
filterroles = FilteredRoles(topo.standalone, OU_ROLE)
filterroles.create(
properties={
'cn': 'filterRole',
'nsRoleFilter': 'sn=Dr Drake',
'description': 'filter role tester'
})
users = UserAccounts(topo.standalone, OU_ROLE, rdn=None)
for i in [('STEVE_ROLE', ROLE1, 'Has roles 1, 2 and 3.'),
('HARRY_ROLE', ROLE21, 'Has roles 21, 2 and 3.'),
('MARY_ROLE', ROLE31, 'Has roles 31 and 3.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'nsRoleDN': i[1],
'Description': i[2]
})
for i in [('JOE_ROLE', 'Has filterRole.'), ('NOROLEUSER', 'Has no roles.'),
('SCRACHENTRY', 'Entry to test rights on.'),
('all access', 'Everyone has acccess (incl anon).'),
('not rule access', 'Only accessible to mary.'),
('or rule access',
'Only to steve and harry but nbot mary or anon'),
('nested role tester', 'Only accessible to harry and steve.')]:
users.create(
properties={
'uid': i[0],
'cn': i[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0],
'userPassword': PW_DM,
'Description': i[1]
})
# Setting SN for user JOE
UserAccount(topo.standalone,
f'uid=JOE_ROLE,ou=roledntest,{DEFAULT_SUFFIX}').set(
'sn', 'Dr Drake')
def fin():
"""
It will delete the created users
"""
for i in users.list() + managedroles.list() + nestedroles.list():
i.delete()
request.addfinalizer(fin)
def test_managedrole(topo):
"""Test Managed Role
:id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
# Create user and Assign the role to the entry
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
uas.create(
properties={
'uid': 'Fail',
'cn': 'Fail',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Fail',
'nsRoleDN': role.dn,
'userPassword': PW_DM
})
# Create user and do not Assign any role to the entry
uas.create(
properties={
'uid': 'Success',
'cn': 'Success',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Success',
'userPassword': PW_DM
})
# Assert that Manage role entry is created and its searchable
assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
== 'cn=ROLE1,dc=example,dc=com'
# Set an aci that will deny ROLE1 manage role
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', '(targetattr=*)(version 3.0; aci "role aci";'
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
# Crate a connection with cn=Fail which is member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access denied to ROLE1 members
assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()
# Now create a connection with cn=Success which is not a member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access allowed here
assert ManagedRoles(conn, DEFAULT_SUFFIX).list()
for i in uas.list():
i.delete()
for i in roles.list():
i.delete()
def test_vattr_on_managed_role(topo, request):
"""Test nsslapd-ignore-virtual-attrs configuration attribute
The attribute is ON by default. If a managed role is
added it is moved to OFF
:id: 664b722d-c1ea-41e4-8f6c-f9c87a212346
:customerscenario: True
:setup: Standalone instance
:steps:
1. Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config
2. Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON
3. Create a managed role
4. Check the value of nsslapd-ignore-virtual-attrs should be OFF
5. Check a message "roles_cache_trigger_update_role - Because of virtual attribute.." in error logs
6. Check after deleting role definition value of attribute nsslapd-ignore-virtual-attrs is set back to ON
:expectedresults:
1. This should be successful
2. This should be successful
3. This should be successful
4. This should be successful
5. This should be successful
6. This should be successful
"""
log.info(
"Check the attribute nsslapd-ignore-virtual-attrs is present in cn=config"
)
assert topo.standalone.config.present('nsslapd-ignore-virtual-attrs')
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be ON"
)
assert topo.standalone.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
log.info("Create a managed role")
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs should be OFF"
)
assert topo.standalone.config.present('nsslapd-ignore-virtual-attrs',
'off')
topo.standalone.stop()
assert topo.standalone.searchErrorsLog(
"roles_cache_trigger_update_role - Because of virtual attribute definition \(role\), nsslapd-ignore-virtual-attrs was set to \'off\'"
)
def fin():
topo.standalone.restart()
try:
filtered_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
for i in filtered_roles.list():
i.delete()
except:
pass
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON"
)
topo.standalone.restart()
assert topo.standalone.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
request.addfinalizer(fin)
def test_managedrole(topo, request):
"""Test Managed Role
:id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
# Create user and Assign the role to the entry
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
uas.create(
properties={
'uid': 'Fail',
'cn': 'Fail',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Fail',
'nsRoleDN': role.dn,
'userPassword': PW_DM
})
# Create user and do not Assign any role to the entry
uas.create(
properties={
'uid': 'Success',
'cn': 'Success',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Success',
'userPassword': PW_DM
})
# Assert that Manage role entry is created and its searchable
assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
== 'cn=ROLE1,dc=example,dc=com'
# Set an aci that will deny ROLE1 manage role
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', '(targetattr="*")(version 3.0; aci "role aci";'
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
# Add self user modification and anonymous aci
ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
# Crate a connection with cn=Fail which is member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access denied to ROLE1 members
assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()
# Now create a connection with cn=Success which is not a member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access allowed here
assert ManagedRoles(conn, DEFAULT_SUFFIX).list()
for i in uas.list():
i.delete()
for i in roles.list():
i.delete()
def fin():
topo.standalone.restart()
try:
role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1')
role.delete()
except:
pass
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
request.addfinalizer(fin)
def _add_user(topo):
"""
This function will create user for the test and in the end entries will be deleted .
"""
role_aci_body = '(targetattr=*)(version 3.0; aci "role aci"; allow(all)'
# Creating OUs
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ou_accounting = ous.create(properties={'ou': 'Accounting'})
ou_accounting.set('aci', [
f'(target="ldap:///{ROLEDNACCESS}"){role_aci_body} '
f'userattr = "Description#ROLEDN";)',
f'(target="ldap:///{USERDNACCESS}"){role_aci_body} '
f'userattr = "Description#USERDN";)',
f'(target="ldap:///{GROUPDNACCESS}"){role_aci_body} '
f'userattr = "Description#GROUPDN";)',
f'(target="ldap:///{LDAPURLACCESS}"){role_aci_body} '
f'userattr = "Description#LDAPURL";)',
f'(target="ldap:///{ATTRNAMEACCESS}"){role_aci_body} '
f'userattr = "Description#4612";)'
])
ou_inheritance = ous.create(
properties={
'ou': 'Inheritance',
'street': LEVEL_4,
'seeAlso': LEVEL_3,
'st': LEVEL_2,
'description': LEVEL_1,
'businessCategory': LEVEL_0
})
inheritance_aci_body = '(targetattr=*)(version 3.0; aci "Inheritance aci"; allow(all) '
ou_inheritance.set('aci', [
f'{inheritance_aci_body} '
f'userattr = "parent[0].businessCategory#USERDN";)',
f'{inheritance_aci_body} '
f'userattr = "parent[0,1].description#USERDN";)',
f'{inheritance_aci_body} '
f'userattr = "parent[0,1,2].st#USERDN";)', f'{inheritance_aci_body} '
f'userattr = "parent[0,1,2,3].seeAlso#USERDN";)',
f'{inheritance_aci_body} '
f'userattr = "parent[0,1,2,3,4].street#USERDN";)'
])
# Creating Users
users = UserAccounts(topo.standalone, OU, rdn=None)
for i in [['Anuj Borah', 'Sunnyvale', ROLE1, '4612'],
['Ananda Borah', 'Santa Clara', ROLE2, 'Its Unknown']]:
users.create(
properties={
'uid': i[0],
'cn': i[0].split()[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i[0].split()[0],
'userPassword': PW_DM,
'givenname': i[0].split()[0],
'l': i[1],
'mail': "*****@*****.**",
'telephonenumber': "+1 408 555 4798",
'facsimiletelephonenumber': "+1 408 555 9751",
'roomnumber': i[3],
'Description': i[3],
'nsRoleDN': i[2]
})
for demo1 in [('ROLEDNACCESS', ROLE1), ('USERDNACCESS', CAN),
('GROUPDNACCESS', NSSIMPLEGROUP), ('ATTRNAMEACCESS', '4612'),
('LDAPURLACCESS',
f"ldap:///{DEFAULT_SUFFIX}??sub?(l=Sunnyvale)")]:
users.create(
properties={
'uid': demo1[0],
'cn': demo1[0],
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1[0],
'userPassword': PW_DM,
'Description': demo1[1]
})
# Creating roles
roles = ManagedRoles(topo.standalone, OU)
for i in ['ROLE1', 'ROLE2']:
roles.create(properties={"cn": i})
# Creating Groups
grps = Groups(topo.standalone, OU, rdn=None)
for i in [('NSSIMPLEGROUP', CAN), ('NSSIMPLEGROUP1', CANNOT)]:
grps.create(properties={'cn': i[0], 'ou': 'groups', 'member': i[1]})
users = UserAccounts(topo.standalone, OU_2, rdn=None)
for i in ['Grandson', 'Child', 'Parent', 'Grandparent', 'Ancestor']:
users.create(
properties={
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
})
# Creating Other OUs
for dn_dn in [(OU_2, 'ANCESTORS'), (ANCESTORS, 'GRANDPARENTS'),
(GRANDPARENTS, 'PARENTS'), (PARENTS, 'CHILDREN'),
(CHILDREN, 'GRANDSONS')]:
OrganizationalUnits(topo.standalone,
dn_dn[0]).create(properties={'ou': dn_dn[1]})
