def verifyUserRoles(self, server, username, roles):
rest = RestConnection(server)
status, content, header = rbacmain(server)._retrieve_user_roles()
content = json.loads(content)
temp = rbacmain()._parse_get_user_response(content, username, username,
roles)
return temp
def test_role_assignment_audit(self):
ops = self.input.param("ops",'assign')
if ops in ['assign','edit']:
eventID=rbacmain.AUDIT_ROLE_ASSIGN
elif ops == 'remove':
eventID=rbacmain.AUDIT_REMOVE_ROLE
Audit = audit(eventID=eventID, host=self.master)
currentState = Audit.getAuditStatus()
self.log.info ("Current status of audit on ip - {0} is {1}".format(self.master.ip, currentState))
if currentState:
Audit.setAuditEnable('false')
self.log.info ("Enabling Audit ")
Audit.setAuditEnable('true')
self.sleep(30)
user_name = self.input.param("user_name")
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + user_name + "&roles=" + final_roles
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id,payload=payload)
expectedResults = {"full_name":"RitamSharma","roles":["admin"],"identity:source":"saslauthd","identity:user":self.user_id,
"real_userid:source":"ns_server","real_userid:user":"******",
"ip":self.ipAddress, "port":123456}
if ops == 'edit':
payload = "name=" + user_name + "&roles=" + 'admin,cluster_admin'
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id,payload=payload)
expectedResults = {"full_name":"RitamSharma","roles":["admin","cluster_admin"],"identity:source":"saslauthd","identity:user":self.user_id,
"real_userid:source":"ns_server","real_userid:user":"******",
"ip":self.ipAddress, "port":123456}
elif ops == 'remove':
status, content, header = rbacmain(self.master)._delete_user(self.user_id)
expectedResults = {"identity:source":"saslauthd","identity:user":self.user_id,
"real_userid:source":"ns_server","real_userid:user":"******",
"ip":self.ipAddress, "port":123456}
fieldVerification, valueVerification = Audit.validateEvents(expectedResults)
self.assertTrue(fieldVerification, "One of the fields is not matching")
self.assertTrue(valueVerification, "Values for one of the fields is not matching")
def remove_role_existing_grp(self, group_names, groles, ldap_ref, host):
for index, group_name in enumerate(group_names):
Gcontent = self.get_group_detail(group_name, host)
Gcontent = Gcontent[1]
Groles = Gcontent['roles']
roles = ""
for role in Groles:
roles = roles + "," + role['role']
if (roles[0] == ","):
roles = roles[1:]
final_roles = roles.split("," + groles[index])
if (len(final_roles) == 1 and final_roles[0] == groles[0]):
final_roles = ""
roles = ""
for i in final_roles:
roles = roles + i
log.info(
"Group name -- {0} :: Roles -- {1} :: LDAP REF -- {2}".format(
group_name, roles, ldap_ref))
rest = RestConnection(host)
status, content = rest.add_group_role(group_name, group_name,
roles, ldap_ref)
log.info("Output of adding group to roles is {0} - {1}".format(
status, content))
rest = RestConnection(host)
content = rbacmain(master_ip=host,
auth_type='builtin')._retrieve_user_roles()
content = rbacmain(master_ip=host,
auth_type='builtin')._retrieve_user_roles()
return content
def test_checkInvalidISASLPW(self):
shell = RemoteMachineShellConnection(self.master)
try:
result = rbacmain(
self.master,
self.auth_type)._check_role_permission_validate_multiple(
self.user_id, self.user_role, self.bucket_name,
self.role_map)
self.assertTrue(
result,
"Issue with role assignment and comparision with permission set"
)
command = "mv /opt/couchbase/var/lib/couchbase/isasl.pw /tmp"
o, r = shell.execute_command(command)
shell.log_command_output(o, r)
result = rbacmain(
self.master,
self.auth_type)._check_role_permission_validate_multiple(
self.user_id, self.user_role, self.bucket_name,
self.role_map)
self.assertTrue(
result,
"Issue with role assignment and comparision with permission set"
)
finally:
command = "mv /tmp/isasl.pw /opt/couchbase/var/lib/couchbase"
o, r = shell.execute_command(command)
shell.log_command_output(o, r)
shell.disconnect()
def upgrade_half_nodes(self):
serv_upgrade = self.servers[2:4]
servers_in = self.servers[1:]
self._install(self.servers)
self.cluster.rebalance(self.servers, servers_in, [])
self.user_role = self.input.param('user_role', None)
self.setup_4_1_settings()
upgrade_threads = self._async_update(
upgrade_version=self.upgrade_version, servers=serv_upgrade)
for threads in upgrade_threads:
threads.join()
status, content, header = rbacmain(self.master)._retrieve_user_roles()
self.assertFalse(
status,
"Incorrect status for rbac cluster in mixed cluster {0} - {1} - {2}"
.format(status, content, header))
for server in serv_upgrade:
status, content, header = rbacmain(server)._retrieve_user_roles()
self.assertFalse(
status,
"Incorrect status for rbac cluster in mixed cluster {0} - {1} - {2}"
.format(status, content, header))
def test_add_remove_some_user_check_permission(self):
final_roles = ""
user_list = self.returnUserList(self.user_id)
user_role_param = self.user_role.split(":")
if len(user_role_param) == 1:
final_roles = user_role_param[0]
else:
for role in user_role_param:
final_roles = role + "," + final_roles
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master,
self.auth_type)._set_user_roles(
user_name=user_id[0],
payload=payload)
rbacmain(self.master)._delete_user(user_list[0][0])
permission_str = "cluster.pools!read,cluster.nodes!read"
for user in user_list[1:]:
status, content, header = rbacmain(
self.master,
self.auth_type)._check_user_permission(user[0], user[1],
permission_str)
self.assertTrue(
status,
"Users cannot login if one of the user is deleted from couchbase"
)
def test_ldapDeleteUser(self):
rbacmain(self.master)._check_role_permission_validate_multiple(self.user_id,self.user_role,self.bucket_name,self.role_map)
user_name = rbacmain().returnUserList(self.user_id)
self._removeLdapUserRemote(user_name)
print user_name
status, content, header = rbacmain(self.master)._check_user_permission(user_name[0][0],user_name[0][1],self.user_role)
self.assertFalse(status,"Not getting 401 for users that are deleted in LDAP")
def test_add_remove_user_check_permission(self):
final_roles = ""
user_list = self.returnUserList(self.user_id)
user_role_param = self.user_role.split(":")
if len(user_role_param) == 1:
final_roles = user_role_param[0]
else:
for role in user_role_param:
final_roles = role + "," + final_roles
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master,
self.auth_type)._set_user_roles(
user_name=user_id[0],
payload=payload)
delete_user = user_list[1:]
for user in delete_user:
rbacmain(self.master, self.auth_type)._delete_user(user[0])
permission_str = "cluster.pools!read,cluster.nodes!read"
for user in delete_user:
status, content, header = rbacmain(
self.master,
self.auth_type)._check_user_permission(user_id[0], user_id[1],
permission_str)
self.assertFalse(status, "Deleted user can access couchase server")
def test_role_assignment_audit(self):
ops = self.input.param("ops",'assign')
if ops in ['assign','edit']:
eventID=rbacmain.AUDIT_ROLE_ASSIGN
elif ops == 'remove':
eventID=rbacmain.AUDIT_REMOVE_ROLE
Audit = audit(eventID=eventID, host=self.master)
currentState = Audit.getAuditStatus()
self.log.info ("Current status of audit on ip - {0} is {1}".format(self.master.ip, currentState))
if currentState:
Audit.setAuditEnable('false')
self.log.info ("Enabling Audit ")
Audit.setAuditEnable('true')
self.sleep(30)
user_name = self.input.param("user_name")
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + user_name + "&roles=" + final_roles
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id,payload=payload)
expectedResults = {"full_name":"RitamSharma","roles":["admin"],"identity:source":"saslauthd","identity:user":self.user_id,
"real_userid:source":"ns_server","real_userid:user":"******",
"ip":self.ipAddress, "port":123456}
if ops == 'edit':
payload = "name=" + user_name + "&roles=" + 'admin,cluster_admin'
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id,payload=payload)
expectedResults = {"full_name":"RitamSharma","roles":["admin","cluster_admin"],"identity:source":"saslauthd","identity:user":self.user_id,
"real_userid:source":"ns_server","real_userid:user":"******",
"ip":self.ipAddress, "port":123456}
elif ops == 'remove':
status, content, header = rbacmain(self.master)._delete_user(self.user_id)
expectedResults = {"identity:source":"saslauthd","identity:user":self.user_id,
"real_userid:source":"ns_server","real_userid:user":"******",
"ip":self.ipAddress, "port":123456}
fieldVerification, valueVerification = Audit.validateEvents(expectedResults)
self.assertTrue(fieldVerification, "One of the fields is not matching")
self.assertTrue(valueVerification, "Values for one of the fields is not matching")
def test_set_roles_with_name(self):
self.user_name = self.input.param("user_name", None)
final_user_name = rbacmain().returnUserList(self.user_name)
final_user_id = rbacmain().returnUserList(self.user_id)
user_list = ""
user_name = ""
if len(final_user_id) == 1:
user_list = str(final_user_id[0])
user_name = str(final_user_name[0])
else:
for final_user in final_user_id:
user_list = user_list + "," + str(final_user[0])
for final_name in final_user_name:
user_name = user_name + "," + str(final_name)
user_list = user_list[1:]
user_name = user_name[3:-2]
user_name = "\"" + user_name + "\""
final_roles = rbacmain()._return_roles(self.user_role)
options = "--set-users=" + user_list + " --roles=" + final_roles + " --set-names=" + user_name
output, error = self.execute_admin_role_manage(options)
self.check_role_assignment(final_user_id, self.user_role, output)
def test_change_role(self):
rbacmain(self.master)._check_role_permission_validate_multiple(
self.user_id, self.user_role, self.bucket_name, self.role_map
)
result = rbacmain(self.master)._check_role_permission_validate_multiple(
self.user_id, self.new_role, self.bucket_name, self.new_role_map
)
self.assertTrue(result, "Issue with role assignment and comparision with permission set")
def setup_user_roles(self):
final_user_id = rbacmain().returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + self.user_name + "&roles=" + final_roles
for final_user in final_user_id:
status, content, header = rbacmain(self.master)._set_user_roles(user_name=final_user[0],payload=payload)
self.assertTrue(status,"Issue with setting role")
status = rbacmain()._parse_get_user_response(json.loads(content),final_user[0],self.user_name,final_roles)
self.assertTrue(status,"Role assignment not matching")
def test_checkPasswordChange(self):
result = rbacmain(self.master, self.auth_type)._check_role_permission_validate_multiple(self.user_id, self.user_role, self.bucket_name, self.role_map)
self.assertTrue(result, "Issue with role assignment and comparision with permission set")
user_list = self.returnUserList(self.user_id)
temp_id = ""
for i in range(len(user_list)):
self._changeLdapPassRemote(user_list[i][0], 'password1')
temp_id = str(user_list[i][0]) + ":" + str('password1?')
result = rbacmain(self.master, self.auth_type)._check_role_permission_validate_multiple(temp_id[:-1], self.user_role, self.bucket_name, self.role_map)
self.assertTrue(result, "Issue with role assignment and comparision with permission set")
def test_checkPasswordChange(self):
result = rbacmain(self.master, self.auth_type)._check_role_permission_validate_multiple(self.user_id,self.user_role,self.bucket_name,self.role_map)
self.assertTrue(result,"Issue with role assignment and comparision with permission set")
user_list = self.returnUserList(self.user_id)
temp_id = ""
for i in range(len(user_list)):
self._changeLdapPassRemote(user_list[i][0], 'password1')
temp_id = str(user_list[i][0]) + ":" + str('password1?')
result = rbacmain(self.master,self.auth_type)._check_role_permission_validate_multiple(temp_id[:-1],self.user_role,self.bucket_name,self.role_map)
self.assertTrue(result,"Issue with role assignment and comparision with permission set")
def test_user_role_cluster(self):
servers_count = self.servers[:self.nodes_init]
user_list = self.returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master)._set_user_roles(user_name=user_id[0],payload=payload)
for server in servers_count:
status, content, header = rbacmain(server)._retrieve_user_roles()
content = json.loads(content)
temp = rbacmain()._parse_get_user_response(content,user_id[0],user_id[0],self.user_role)
self.assertTrue(temp,"Roles are not matching for user")
def test_role_permission_noaccess_bucket(self):
rest=RestConnection(self.master)
rest.create_bucket(bucket='default', ramQuotaMB=100)
#rest1=RestConnection(self.master)
#rest1.create_bucket(bucket='default1', ramQuotaMB=100,proxyPort=11212)
bucket_name = self.bucket_name.split(":")
for server in self.servers[:self.nodes_init]:
if (len(bucket_name) > 1):
for bucket in bucket_name:
rbacmain(server)._check_role_permission_validate_multiple(self.user_id,self.user_role,bucket,self.role_map,self.incorrect_bucket)
else:
rbacmain(server)._check_role_permission_validate_multiple(self.user_id,self.user_role,self.bucket_name,self.role_map,no_bucket_access=self.no_bucket_access,no_access_bucket_name=self.no_access_bucket_name)
def test_role_assign_check_rest_api(self):
user_name = self.input.param("user_name")
final_test_role_assign_check_end_to_end = self.user_id.split("?")
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + user_name + "&roles=" + final_roles
if len(final_user_id) == 1:
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id,payload=payload)
self.assertTrue(status,"Issue with setting role")
else:
for final_user in final_user_id:
status, content, header = rbacmain(self.master)._set_user_roles(user_name=final_user[0],payload=payload)
self.assertTrue(status,"Issue with setting role")
def test_role_assign_check_rest_api(self):
user_name = self.input.param("user_name")
final_test_role_assign_check_end_to_end = self.user_id.split("?")
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + user_name + "&roles=" + final_roles
if len(final_user_id) == 1:
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=self.user_id, payload=payload)
self.assertTrue(status, "Issue with setting role")
else:
for final_user in final_user_id:
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=final_user[0], payload=payload)
self.assertTrue(status, "Issue with setting role")
def test_role_permission_noaccess_bucket(self):
rest=RestConnection(self.master)
rest.create_bucket(bucket='default', ramQuotaMB=100)
#rest1=RestConnection(self.master)
#rest1.create_bucket(bucket='default1', ramQuotaMB=100,proxyPort=11212)
bucket_name = self.bucket_name.split(":")
for server in self.servers[:self.nodes_init]:
if (len(bucket_name) > 1):
for bucket in bucket_name:
rbacmain(server, self.auth_type)._check_role_permission_validate_multiple(self.user_id, self.user_role, bucket, self.role_map, self.incorrect_bucket)
else:
rbacmain(server, self.auth_type)._check_role_permission_validate_multiple(self.user_id, self.user_role, self.bucket_name, self.role_map, no_bucket_access=self.no_bucket_access, no_access_bucket_name=self.no_access_bucket_name)
def setup_user_roles(self):
final_user_id = rbacmain().returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + self.user_name + "&roles=" + final_roles
for final_user in final_user_id:
status, content, header = rbacmain(self.master)._set_user_roles(
user_name=final_user[0], payload=payload)
self.assertTrue(status, "Issue with setting role")
status = rbacmain()._parse_get_user_response(
json.loads(content), final_user[0], self.user_name,
final_roles)
self.assertTrue(status, "Role assignment not matching")
def test_user_role_cluster(self):
servers_count = self.servers[:self.nodes_init]
user_list = self.returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=user_id[0], payload=payload)
for server in servers_count:
status, content, header = rbacmain(server)._retrieve_user_roles()
content = json.loads(content)
temp = rbacmain()._parse_get_user_response(content, user_id[0], user_id[0], self.user_role)
self.assertTrue(temp, "Roles are not matching for user")
def test_change_role(self):
rbacmain(self.master,
self.auth_type)._check_role_permission_validate_multiple(
self.user_id, self.user_role, self.bucket_name,
self.role_map)
result = rbacmain(
self.master,
self.auth_type)._check_role_permission_validate_multiple(
self.user_id, self.new_role, self.bucket_name,
self.new_role_map)
self.assertTrue(
result,
"Issue with role assignment and comparision with permission set")
def test_ldapDeleteUser(self):
rbacmain(self.master,
self.auth_type)._check_role_permission_validate_multiple(
self.user_id, self.user_role, self.bucket_name,
self.role_map)
user_name = rbacmain().returnUserList(self.user_id)
self._removeLdapUserRemote(user_name)
status, content, header = rbacmain(
self.master,
self.auth_type)._check_user_permission(user_name[0][0],
user_name[0][1],
self.user_role)
self.assertFalse(status,
"Not getting 401 for users that are deleted in LDAP")
def test_user_role_cluster_rebalance_out(self):
user_list = self.returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master)._set_user_roles(user_name=user_id[0],payload=payload)
servers_out = self.servers[2:]
self.cluster.rebalance(self.servers, [], servers_out)
for server in self.servers[:2]:
status, content, header = rbacmain(server)._retrieve_user_roles()
content = json.loads(content)
for user_id in user_list:
temp = rbacmain()._parse_get_user_response(content,user_id[0],user_id[0],self.user_role)
self.assertTrue(temp,"Roles are not matching for user")
def test_user_role_cluster_rebalance_out(self):
user_list = self.returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=user_id[0],payload=payload)
servers_out = self.servers[2:]
self.cluster.rebalance(self.servers, [], servers_out)
for server in self.servers[:2]:
status, content, header = rbacmain(server)._retrieve_user_roles()
content = json.loads(content)
for user_id in user_list:
temp = rbacmain()._parse_get_user_response(content,user_id[0],user_id[0],self.user_role)
self.assertTrue(temp,"Roles are not matching for user")
def test_checkInvalidISASLPW(self):
shell = RemoteMachineShellConnection(self.master)
try:
result = rbacmain(self.master)._check_role_permission_validate_multiple(self.user_id,self.user_role,self.bucket_name,self.role_map)
self.assertTrue(result,"Issue with role assignment and comparision with permission set")
command = "mv /opt/couchbase/var/lib/couchbase/isasl.pw /tmp"
o, r = shell.execute_command(command)
shell.log_command_output(o, r)
result = rbacmain(self.master)._check_role_permission_validate_multiple(self.user_id,self.user_role,self.bucket_name,self.role_map)
self.assertTrue(result,"Issue with role assignment and comparision with permission set")
finally:
command = "mv /tmp/isasl.pw /opt/couchbase/var/lib/couchbase"
o, r = shell.execute_command(command)
shell.log_command_output(o, r)
shell.disconnect()
def test_set_roles(self):
final_user_id = rbacmain().returnUserList(self.user_id)
print final_user_id
user_list = ""
if len(final_user_id) == 1:
user_list = str(final_user_id[0])
else:
for final_user in final_user_id:
user_list = user_list + "," + str(final_user[0])
user_list = user_list[1:]
final_roles = rbacmain()._return_roles(self.user_role)
options = "--set-users=" + user_list + " --roles=" + final_roles
output, error = self.execute_admin_role_manage(options)
self.check_role_assignment(final_user_id,self.user_role,output)
def test_set_roles(self):
final_user_id = rbacmain().returnUserList(self.user_id)
print final_user_id
user_list = ""
if len(final_user_id) == 1:
user_list = str(final_user_id[0])
else:
for final_user in final_user_id:
user_list = user_list + "," + str(final_user[0])
user_list = user_list[1:]
final_roles = rbacmain()._return_roles(self.user_role)
options = "--set-users=" + user_list + " --roles=" + final_roles
output, error = self.execute_admin_role_manage(options)
self.check_role_assignment(final_user_id, self.user_role, output)
def delete_int_group(self, group_name, host):
rest = RestConnection(host)
content = rbacmain(master_ip=host,
auth_type='builtin')._retrieve_user_roles()
User_roles = json.loads(content[1])
for user in User_roles:
flag = 0
usr_role = user['roles']
finalroles = ""
for Urole in usr_role:
for item in Urole['origins']:
if 'name' in item.keys():
if item['name'] == group_name:
flag = 1
continue
if item['type'] == 'user':
finalroles = finalroles + "," + Urole['role']
if (finalroles != "" and finalroles[0] == ","):
finalroles = finalroles[1:]
payload = 'name=' + user[
'id'] + '&roles=' + finalroles + "&password=password"
if (flag == 1):
content = rest.add_set_builtin_user(user['id'], payload)
rest.delete_group(group_name)
def test_role_permission_validate_multiple_rest_api(self):
result = rbacmain(
self.master, servers=self.servers, cluster=self.cluster
)._check_role_permission_validate_multiple_rest_api(
self.user_id, self.user_role, self.bucket_name, self.role_map
)
self.assertTrue(result, "Issue with role assignment and comparision with permission set")
def test_compare_orig_roles(self):
status, content, header = rbacmain(self.master)._retrive_all_user_role(self.user_id)
orig_role_list = [
{"role": "admin", "name": "Admin", "desc": "Can manage ALL cluster features including security."},
{"role": "ro_admin", "name": "Read Only Admin", "desc": "Can view ALL cluster features."},
{
"role": "cluster_admin",
"name": "Cluster Admin",
"desc": "Can manage all cluster features EXCEPT security.",
},
{
"role": "bucket_admin",
"bucket_name": "*",
"name": "Bucket Admin",
"desc": "Can manage ALL bucket features for specified buckets (incl. start/stop XDCR)",
},
{
"role": "views_admin",
"bucket_name": "*",
"name": "Views Admin",
"desc": "Can manage views for specified buckets",
},
{
"role": "replication_admin",
"name": "Replication Admin",
"desc": "Can manage ONLY XDCR features (cluster AND bucket level)",
},
]
content = json.loads(content)
if orig_role_list == content:
self.assertTrue(True, "Issue in comparison of original roles with expected")
def test_add_remove_users(self):
final_roles=""
user_list = self.returnUserList(self.user_id)
user_role_param = self.user_role.split(":")
if len(user_role_param) == 1:
final_roles = user_role_param[0]
else:
for role in user_role_param:
final_roles = role + "," + final_roles
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=user_id[0], payload=payload)
delete_user = user_list[1:]
for user in delete_user:
status, content, header = rbacmain(self.master, self.auth_type)._delete_user(user[0])
self.assertTrue(status, "Issue with deleting users")
def test_role_assign_incorrect_bucket_name(self):
msg = self.input.param("msg",None)
payload = "name=" + self.user_id + "&roles=" + self.user_role
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id,payload=payload)
self.assertFalse(status,"Incorrect status for incorrect role name")
if msg != content:
self.assertFalse(True,"Message shown is incorrect")
def test_role_assign_incorrect_bucket_name(self):
msg = self.input.param("msg", None)
payload = "name=" + self.user_id + "&roles=" + self.user_role
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id, payload=payload)
self.assertFalse(status, "Incorrect status for incorrect role name")
if msg != content:
self.assertFalse(True, "Message shown is incorrect")
def test_add_remove_users(self):
final_roles=""
user_list = self.returnUserList(self.user_id)
user_role_param = self.user_role.split(":")
if len(user_role_param) == 1:
final_roles = user_role_param[0]
else:
for role in user_role_param:
final_roles = role + "," + final_roles
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master)._set_user_roles(user_name=user_id[0],payload=payload)
delete_user = user_list[1:]
for user in delete_user:
status, content, header = rbacmain(self.master)._delete_user(user[0])
self.assertTrue(status,"Issue with deleting users")
def upgrade_all_nodes(self):
servers_in = self.servers[1:]
self._install(self.servers)
self.cluster.rebalance(self.servers, servers_in, [])
self.user_role = self.input.param("user_role", None)
self.setup_4_1_settings()
upgrade_threads = self._async_update(upgrade_version=self.upgrade_version, servers=self.servers)
for threads in upgrade_threads:
threads.join()
for server in self.servers:
status, content, header = rbacmain(server)._retrieve_user_roles()
content = json.loads(content)
for user_id in self.fullAdmin:
temp = rbacmain()._parse_get_user_response(content, user_id[0], user_id[0], self.user_role)
self.assertTrue(temp, "Roles are not matching for user")
def test_add_remove_some_user_check_permission(self):
final_roles=""
user_list = self.returnUserList(self.user_id)
user_role_param = self.user_role.split(":")
if len(user_role_param) == 1:
final_roles = user_role_param[0]
else:
for role in user_role_param:
final_roles = role + "," + final_roles
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master)._set_user_roles(user_name=user_id[0],payload=payload)
rbacmain(self.master)._delete_user(user_list[0][0])
permission_str="cluster.pools!read,cluster.nodes!read"
for user in user_list[1:]:
status, content, header = rbacmain(self.master)._check_user_permission(user[0],user[1],permission_str)
self.assertTrue(status,"Users cannot login if one of the user is deleted from couchbase")
def setUp(self):
super(rbacTest, self).setUp()
self.rest = RestConnection(self.master)
self.userList = "bjons:password"
self.userList = self.returnUserList(self.userList)
#self._removeLdapUserRemote(self.userList)
#self._createLDAPUser(self.userList)
self.roleName = self.input.param("roleName")
self.rbac = rbacmain(self.master,'default')
def setUp(self):
super(rbacTest, self).setUp()
rest = RestConnection(self.master)
self.setupLDAPSettings(rest)
self.user_id = self.input.param("user_id",None)
self.user_role = self.input.param("user_role",None)
self.bucket_name = self.input.param("bucket_name",'default')
self.role_map = self.input.param("role_map",None)
self.incorrect_bucket = self.input.param("incorrect_bucket",False)
self.new_role = self.input.param("new_role",None)
self.new_role_map = self.input.param("new_role_map",None)
self.no_bucket_access = self.input.param("no_bucket_access",False)
self.no_access_bucket_name = self.input.param("no_access_bucket_name",None)
self.ldap_users = rbacmain().returnUserList(self.user_id)
self._removeLdapUserRemote(self.ldap_users)
self._createLDAPUser(self.ldap_users)
self.ldap_server = ServerInfo(self.ldapHost, self.ldapPort, 'root', 'couchbase')
rbacmain()._delete_user_from_roles(self.master)
def upgrade_half_nodes(self):
serv_upgrade = self.servers[2:4]
servers_in = self.servers[1:]
self._install(self.servers)
self.cluster.rebalance(self.servers, servers_in, [])
self.user_role = self.input.param('user_role',None)
self.setup_4_1_settings()
upgrade_threads = self._async_update(upgrade_version=self.upgrade_version, servers=serv_upgrade)
for threads in upgrade_threads:
threads.join()
status, content, header = rbacmain(self.master)._retrieve_user_roles()
self.assertFalse(status,"Incorrect status for rbac cluster in mixed cluster {0} - {1} - {2}".format(status,content,header))
for server in serv_upgrade:
status, content, header = rbacmain(server)._retrieve_user_roles()
self.assertFalse(status,"Incorrect status for rbac cluster in mixed cluster {0} - {1} - {2}".format(status,content,header))
def test_role_assign_incorrect_bucket_name(self):
msg = self.input.param("msg", None)
payload = "name=" + self.user_id + "&roles=" + self.user_role
user_list = self.returnUserList(self.user_id)
for user in user_list:
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=user[0], payload=payload)
self.assertFalse(status, "Incorrect status for incorrect role name")
content = json.loads(content)
if msg not in content:
self.assertFalse(True, "Message shown is incorrect")
def test_role_assign_incorrect_bucket_name(self):
msg = self.input.param("msg",None)
payload = "name=" + self.user_id + "&roles=" + self.user_role
user_list = self.returnUserList(self.user_id)
for user in user_list:
status, content, header = rbacmain(self.master,self.auth_type)._set_user_roles(user_name=user[0],payload=payload)
self.assertFalse(status,"Incorrect status for incorrect role name")
content = json.loads(content)
if msg not in content:
self.assertFalse(True,"Message shown is incorrect")
def test_add_remove_user_check_permission(self):
final_roles=""
user_list = self.returnUserList(self.user_id)
user_role_param = self.user_role.split(":")
if len(user_role_param) == 1:
final_roles = user_role_param[0]
else:
for role in user_role_param:
final_roles = role + "," + final_roles
for user_id in user_list:
payload = "name=" + user_id[0] + "&roles=" + final_roles
status, content, header = rbacmain(self.master)._set_user_roles(user_name=user_id[0],payload=payload)
delete_user = user_list[1:]
for user in delete_user:
rbacmain(self.master)._delete_user(user[0])
permission_str="cluster.pools!read,cluster.nodes!read"
for user in delete_user:
status, content, header = rbacmain(self.master)._check_user_permission(user_id[0],user_id[1],permission_str)
self.assertFalse(status,"Deleted user can access couchase server")
def upgrade_all_nodes(self):
servers_in = self.servers[1:]
self._install(self.servers)
self.cluster.rebalance(self.servers, servers_in, [])
self.user_role = self.input.param('user_role', None)
self.setup_4_1_settings()
upgrade_threads = self._async_update(
upgrade_version=self.upgrade_version, servers=self.servers)
for threads in upgrade_threads:
threads.join()
for server in self.servers:
status, content, header = rbacmain(server)._retrieve_user_roles()
content = json.loads(content)
for user_id in self.fullAdmin:
temp = rbacmain()._parse_get_user_response(
content, user_id[0], user_id[0], self.user_role)
self.assertTrue(temp, "Roles are not matching for user")
def test_role_assign_incorrect_bucket_name(self):
msg = self.input.param("msg",None)
payload = "name=" + self.user_id + "&roles=" + self.user_role
status, content, header = rbacmain(self.master)._set_user_roles(user_name=self.user_id,payload=payload)
self.assertFalse(status,"Incorrect status for incorrect role name")
self.log.info("value is {0}".format(msg))
self.log.info("value is {0}".format(content))
self.log.info("typeof content {0}".format(type(content)))
self.log.info("typeof content {0}".format(len(content)))
if msg == content:
self.assertFalse(True,"Message shown is incorrect")
def test_compare_orig_roles(self):
status, content, header = rbacmain(self.master)._retrive_all_user_role(self.user_id)
orig_role_list = [{"role":"admin","name":"Admin","desc":"Can manage ALL cluster features including security."},
{"role":"ro_admin","name":"Read Only Admin","desc":"Can view ALL cluster features."},
{"role":"cluster_admin","name":"Cluster Admin","desc":"Can manage all cluster features EXCEPT security."},
{"role":"bucket_admin","bucket_name":"*","name":"Bucket Admin","desc":"Can manage ALL bucket features for specified buckets (incl. start/stop XDCR)"},
{"role":"views_admin","bucket_name":"*","name":"Views Admin","desc":"Can manage views for specified buckets"},
{"role":"replication_admin","name":"Replication Admin","desc":"Can manage ONLY XDCR features (cluster AND bucket level)"}]
content = json.loads(content)
if orig_role_list == content:
self.assertTrue(True, "Issue in comparison of original roles with expected")
def do_initial_setup(self):
ldapGroupBase().delete_group(self.group_name, self.master)
self.addToUserList(self.user_list)
self.addToGroupList([self.group_name])
if self.auth_type == "ExternalGroup":
ldapGroupBase().create_group_ldap(self.group_name, self.user_list,
self.master)
group_dn = 'cn=' + self.group_name + ',' + self.LDAP_GROUP_DN
if len(self.user_list) > len(self.user_roles):
for num in range(0, len(self.user_list) - 1):
self.user_roles.append(self.user_roles[0])
ldapGroupBase().add_role_group(self.group_name,
self.group_roles[0], group_dn,
self.master)
self.log.info(self.user_list)
ldapGroupBase().create_grp_usr_external(self.user_list,
self.master,
[''] * len(self.user_list),
self.group_name)
elif self.auth_type == "ExternalUser":
ldapGroupBase().create_group_ldap(self.group_name, self.user_list,
self.master)
group_dn = 'cn=' + self.group_name + ',' + self.LDAP_GROUP_DN
if len(self.user_list) > len(self.user_roles):
for num in range(0, len(self.user_list) - 1):
self.user_roles.append(self.user_roles[0])
ldapGroupBase().create_grp_usr_external(self.user_list,
self.master,
self.user_roles, "")
elif self.auth_type == 'LDAPGroup':
ldapGroupBase().create_group_ldap(self.group_name, self.user_list,
self.master)
group_dn = 'cn=' + self.group_name + ',' + self.LDAP_GROUP_DN
ldapGroupBase().add_role_group(self.group_name,
self.group_roles[0], group_dn,
self.master)
elif self.auth_type == 'InternalGroup':
for index, usr in enumerate(self.user_list):
ldapGroupBase().create_grp_usr_internal(
[usr], self.master, [self.user_roles[index]])
content = rbacmain(master_ip=self.master,
auth_type='builtin')._retrieve_user_roles()
if (len(self.user_list) > len(self.user_roles)):
for num in range(0, len(self.user_list) - 1):
self.user_roles.append(self.user_roles[0])
final_role = self.user_roles[index] + "," + self.group_roles[0]
ldapGroupBase().create_int_group(self.group_name, [usr],
self.group_roles,
[self.user_roles[index]],
self.master)
self.rest.invalidate_ldap_cache()
def test_role_permission_validate_multiple_rest_api(self):
result = rbacmain(self.master,
self.auth_type,
servers=self.servers,
cluster=self.cluster
)._check_role_permission_validate_multiple_rest_api(
self.user_id, self.user_role, self.bucket_name,
self.role_map)
self.assertTrue(
result,
"Issue with role assignment and comparision with permission set")
def test_delete_user_role(self):
self.setup_user_roles()
final_user_id = rbacmain().returnUserList(self.user_id)
print final_user_id
user_list = ""
if len(final_user_id) == 1:
user_list = str(final_user_id[0][0])
else:
for final_user in final_user_id:
user_list = user_list + "," + str(final_user[0])
user_list = user_list[1:]
options = "--delete-users=" + user_list
output, error = self.execute_admin_role_manage(options)
self.assertTrue("SUCCESS: removed users" in output[0],"Issue with user deletion")
def test_single_user_multiple_groups(self):
add_group = self.input.param('add_group', 'addGrp')
add_user = self.input.param('add_user_to_grp', 'oel1')
content = rbacmain(
master_ip=self.master,
auth_type='builtin')._retrieve_user_details(add_user)
#contains all the group names for the user
grp = []
for role in content['roles']:
for type in role['origins']:
if 'name' in type.keys():
grp.append(type['name'])
grp.append(add_group)
content = ldapGroupBase().add_int_user_role(add_user, add_group,
self.master)
content = rbacmain(
master_ip=self.master,
auth_type='builtin')._retrieve_user_details(add_user)
for role in content['roles']:
for type in role['origins']:
if 'name' in type.keys():
self.assertTrue(
type['name'] in grp,
"The user roles doesnt have the grp: " + type['name'])
def test_delete_user_role(self):
self.setup_user_roles()
final_user_id = rbacmain().returnUserList(self.user_id)
print final_user_id
user_list = ""
if len(final_user_id) == 1:
user_list = str(final_user_id[0][0])
else:
for final_user in final_user_id:
user_list = user_list + "," + str(final_user[0])
user_list = user_list[1:]
options = "--delete-users=" + user_list
output, error = self.execute_admin_role_manage(options)
self.assertTrue("SUCCESS: removed users" in output[0],
"Issue with user deletion")
def test_role_assign_check_end_to_end(self):
user_name = self.input.param("user_name")
final_user_id = rbacmain().returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + user_name + "&roles=" + final_roles
if len(final_user_id) == 1:
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=(self.user_id.split(":"))[0], payload=payload)
self.assertTrue(status, "Issue with setting role")
status = rbacmain()._parse_get_user_response(json.loads(content), (self.user_id.split(":"))[0], user_name, final_roles)
self.assertTrue(status, "Role assignment not matching")
else:
for final_user in final_user_id:
status, content, header = rbacmain(self.master, self.auth_type)._set_user_roles(user_name=final_user[0], payload=payload)
self.assertTrue(status, "Issue with setting role")
status = rbacmain()._parse_get_user_response(json.loads(content), final_user[0], user_name, final_roles)
self.assertTrue(status, "Role assignment not matching")
def test_role_assign_check_end_to_end(self):
user_name = self.input.param("user_name")
final_user_id = rbacmain().returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
payload = "name=" + user_name + "&roles=" + final_roles
if len(final_user_id) == 1:
status, content, header = rbacmain(self.master,self.auth_type)._set_user_roles(user_name=(self.user_id.split(":"))[0],payload=payload)
self.assertTrue(status,"Issue with setting role")
status = rbacmain()._parse_get_user_response(json.loads(content), (self.user_id.split(":"))[0],user_name,final_roles)
self.assertTrue(status,"Role assignment not matching")
else:
for final_user in final_user_id:
status, content, header = rbacmain(self.master,self.auth_type)._set_user_roles(user_name=final_user[0],payload=payload)
self.assertTrue(status,"Issue with setting role")
status = rbacmain()._parse_get_user_response(json.loads(content),final_user[0],user_name,final_roles)
self.assertTrue(status,"Role assignment not matching")
def add_local_user_role(self, user, group_name, host):
group_details = self.get_group_detail(group_name, host)
group_details = group_details[1]
final_group = ''
rest = RestConnection(host)
content = rbacmain(master_ip=host,
auth_type='builtin')._retrieve_user_details(user)
user_roles = content['roles']
finalroles = ""
for role in user_roles:
finalroles = finalroles + "," + role['role']
group_roles = ""
for role in group_details['roles']:
group_roles = group_roles + "," + role['role']
if (group_roles[0] == ','):
group_roles = group_roles[1:]
if (finalroles[0] == ','):
finalroles = finalroles[1:]
final_group = finalroles + ',' + group_roles
content = self.create_grp_usr_internal([user], host, [final_group],
group_name)
return content
def test_role_permission_validate_multiple(self):
result = rbacmain(master_ip=self.master, auth_type=self.auth_type)._check_role_permission_validate_multiple(self.user_id,self.user_role,self.bucket_name,self.role_map)
self.assertTrue(result,"Issue with role assignment and comparision with permission set")
def test_role_permission_validate_multiple_cluster(self):
for server in self.servers[:self.nodes_init]:
rbacmain(server,
self.auth_type)._check_role_permission_validate_multiple(
self.user_id, self.user_role, self.bucket_name,
self.role_map, self.incorrect_bucket)
def _get_user_role(self):
final_user_id = rbacmain().returnUserList(self.user_id)
final_roles = rbacmain()._return_roles(self.user_role)
return final_user_id, final_roles
def setUp(self):
super(RbacTestMemcached, self).setUp()
rest = RestConnection(self.master)
self.auth_type = self.input.param('auth_type','builtin')
self.user_id = self.input.param("user_id",None)
self.user_role = self.input.param("user_role",None)
self.bucket_name = self.input.param("bucket_name",None)
rest.create_bucket(bucket=self.bucket_name, ramQuotaMB=100,lww=True)
self.role_map = self.input.param("role_map",None)
self.incorrect_bucket = self.input.param("incorrect_bucket",False)
self.new_role = self.input.param("new_role",None)
self.new_role_map = self.input.param("new_role_map",None)
self.no_bucket_access = self.input.param("no_bucket_access",False)
self.no_access_bucket_name = self.input.param("no_access_bucket_name","noaccess")
self.all_buckets = self.input.param("all_buckets",None)
self.ldap_users = rbacmain().returnUserList(self.user_id)
if self.no_bucket_access:
rest.create_bucket(bucket=self.no_access_bucket_name, ramQuotaMB=100, lww=True)
if self.auth_type == 'ldap':
rbacmain(self.master, 'builtin')._delete_user('cbadminbucket')
if self.auth_type == 'ldap':
rbacmain().setup_auth_mechanism(self.servers,'ldap',rest)
for user in self.ldap_users:
testuser = [{'id': user[0], 'name': user[0], 'password': user[1]}]
RbacBase().create_user_source(testuser, 'ldap', self.master)
self.sleep(10)
elif self.auth_type == "pam":
rbacmain().setup_auth_mechanism(self.servers,'pam', rest)
rbacmain().add_remove_local_user(self.servers, self.ldap_users, 'deluser')
rbacmain().add_remove_local_user(self.servers, self.ldap_users,'adduser')
elif self.auth_type == "builtin":
for user in self.ldap_users:
testuser = [{'id': user[0], 'name': user[0], 'password': user[1]}]
RbacBase().create_user_source(testuser, 'builtin', self.master)
self.sleep(10)
def setUp(self):
super(rbacTest, self).setUp()
rest = RestConnection(self.master)
self.auth_type = self.input.param('auth_type','ldap')
self.user_id = self.input.param("user_id",None)
self.user_role = self.input.param("user_role",None)
self.bucket_name = self.input.param("bucket_name",'default')
self.role_map = self.input.param("role_map",None)
self.incorrect_bucket = self.input.param("incorrect_bucket",False)
self.new_role = self.input.param("new_role",None)
self.new_role_map = self.input.param("new_role_map",None)
self.no_bucket_access = self.input.param("no_bucket_access",False)
self.no_access_bucket_name = self.input.param("no_access_bucket_name",None)
self.ldap_users = rbacmain().returnUserList(self.user_id)
if self.auth_type == 'ldap' or self.auth_type == 'pam':
rbacmain(self.master, 'builtin')._delete_user('cbadminbucket')
rbacmain(self.master, self.auth_type)._delete_user_from_roles(self.master)
if self.auth_type == 'ldap':
rbacmain().setup_auth_mechanism(self.servers,'ldap',rest)
self._removeLdapUserRemote(self.ldap_users)
self._createLDAPUser(self.ldap_users)
elif self.auth_type == "pam":
rbacmain().setup_auth_mechanism(self.servers,'pam', rest)
rbacmain().add_remove_local_user(self.servers, self.ldap_users, 'deluser')
rbacmain().add_remove_local_user(self.servers, self.ldap_users,'adduser')
elif self.auth_type == "builtin":
for user in self.ldap_users:
testuser = [{'id': user[0], 'name': user[0], 'password': user[1]}]
RbacBase().create_user_source(testuser, 'builtin', self.master)
self.sleep(10)
self.ldap_server = ServerInfo(self.ldapHost, self.ldapPort, 'root', 'couchbase')
self.ipAddress = self.getLocalIPAddress()
def test_role_permission_validate_multiple_cluster(self):
for server in self.servers[:self.nodes_init]:
rbacmain(server)._check_role_permission_validate_multiple(self.user_id,self.user_role,self.bucket_name,self.role_map,self.incorrect_bucket)