def fin():
topo.standalone.restart()
try:
filtered_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
for i in filtered_roles.list():
i.delete()
except:
pass
log.info(
"Check the default value of attribute nsslapd-ignore-virtual-attrs is back to ON"
)
topo.standalone.restart()
assert topo.standalone.config.get_attr_val_utf8(
'nsslapd-ignore-virtual-attrs') == "on"
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
And restore nsslapd-ignore-virtual-attrs to default
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_managedrole(topo):
"""Test Managed Role
:id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
# Create user and Assign the role to the entry
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
uas.create(
properties={
'uid': 'Fail',
'cn': 'Fail',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Fail',
'nsRoleDN': role.dn,
'userPassword': PW_DM
})
# Create user and do not Assign any role to the entry
uas.create(
properties={
'uid': 'Success',
'cn': 'Success',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Success',
'userPassword': PW_DM
})
# Assert that Manage role entry is created and its searchable
assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
== 'cn=ROLE1,dc=example,dc=com'
# Set an aci that will deny ROLE1 manage role
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', '(targetattr=*)(version 3.0; aci "role aci";'
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
# Crate a connection with cn=Fail which is member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access denied to ROLE1 members
assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()
# Now create a connection with cn=Success which is not a member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access allowed here
assert ManagedRoles(conn, DEFAULT_SUFFIX).list()
for i in uas.list():
i.delete()
for i in roles.list():
i.delete()
def test_managedrole(topo, request):
"""Test Managed Role
:id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
# Create user and Assign the role to the entry
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
uas.create(
properties={
'uid': 'Fail',
'cn': 'Fail',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Fail',
'nsRoleDN': role.dn,
'userPassword': PW_DM
})
# Create user and do not Assign any role to the entry
uas.create(
properties={
'uid': 'Success',
'cn': 'Success',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Success',
'userPassword': PW_DM
})
# Assert that Manage role entry is created and its searchable
assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
== 'cn=ROLE1,dc=example,dc=com'
# Set an aci that will deny ROLE1 manage role
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', '(targetattr="*")(version 3.0; aci "role aci";'
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
# Add self user modification and anonymous aci
ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
# Crate a connection with cn=Fail which is member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access denied to ROLE1 members
assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()
# Now create a connection with cn=Success which is not a member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access allowed here
assert ManagedRoles(conn, DEFAULT_SUFFIX).list()
for i in uas.list():
i.delete()
for i in roles.list():
i.delete()
def fin():
topo.standalone.restart()
try:
role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1')
role.delete()
except:
pass
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
request.addfinalizer(fin)
