def create_user(topology_st): """User for binding operation""" users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) users.create( properties={ 'cn': TEST_USER_NAME, 'sn': TEST_USER_NAME, 'userpassword': TEST_USER_PWD, 'mail': '*****@*****.**' % TEST_USER_NAME, 'uid': TEST_USER_NAME, 'uidNumber': '1000', 'gidNumber': '1000', 'homeDirectory': '/home/test' }) # Add anonymous access aci ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass
def aci_with_attr_subtype(request, topology_m2): """Adds and deletes an ACI in the DEFAULT_SUFFIX""" TARGET_ATTR = 'protectedOperation' USER_ATTR = 'allowedToPerform' SUBTYPE = request.param suffix = Domain(topology_m2.ms["supplier1"], DEFAULT_SUFFIX) log.info("========Executing test with '%s' subtype========" % SUBTYPE) log.info(" Add a target attribute") add_attr(topology_m2, TARGET_ATTR) log.info(" Add a user attribute") add_attr(topology_m2, USER_ATTR) ACI_TARGET = '(targetattr=%s;%s)' % (TARGET_ATTR, SUBTYPE) ACI_ALLOW = '(version 3.0; acl "test aci for subtypes"; allow (read) ' ACI_SUBJECT = 'userattr = "%s;%s#GROUPDN";)' % (USER_ATTR, SUBTYPE) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT log.info("Add an ACI with attribute subtype") suffix.add('aci', ACI_BODY) def fin(): log.info("Finally, delete an ACI with the '%s' subtype" % SUBTYPE) suffix.remove('aci', ACI_BODY) request.addfinalizer(fin) return ACI_BODY
def test_undefined_in_group_eval_three(topo, test_user, aci_of_user): """ This aci will allow access :id: 04943dcc-7841-11e8-8c46-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL)) conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL) # test UNDEFINED in group user.add("sn", "Fred") assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry' user.remove("sn", "Fred")
def test_undefined_in_group_eval_sixteen(topo, test_user, aci_of_user): """ Test with parent keyword with not key :id: 69852688-7841-11e8-8db1-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.add( "aci", '(targetattr=*)(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)' ) domain.add("description", DEEPUSER_GLOBAL) conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) # Test with parent keyword with not key user = UserAccount(conn, NEWCHILDSCRATCHENTRY_GLOBAL) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.add("description", DEEPUSER_GLOBAL)
def aci_of_user(request, topo): """ :param request: :param topo: """ # Add anonymous access aci ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass aci_list = suffix.get_attr_vals('aci') def finofaci(): """ Removes and Restores ACIs after the test. """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.remove_all('aci') for i in aci_list: domain.add("aci", i) request.addfinalizer(finofaci)
def finofaci(): """ Removes and Restores ACIs after the test. """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.remove_all('aci') for i in aci_list: domain.add("aci", i)
def test_user(request, topo): for demo in ['Product Development', 'Accounting', 'nestedgroup']: OrganizationalUnit(topo.standalone, "ou={},{}".format( demo, DEFAULT_SUFFIX)).create(properties={'ou': demo}) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup') for demo1 in [ 'DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild' ]: uas.create( properties={ 'uid': demo1, 'cn': demo1, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + demo1, 'userPassword': PW_DM }) # Add anonymous access aci ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) suffix.add('aci', ANON_ACI) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup') for demo1 in ['c1', 'CHILD1_GLOBAL']: uas.create( properties={ 'uid': demo1, 'cn': demo1, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + demo1, 'userPassword': PW_DM }) grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=nestedgroup') for i in [ ('ALLGROUPS_GLOBAL', GROUPA_GLOBAL), ('GROUPA_GLOBAL', GROUPB_GLOBAL), ('GROUPB_GLOBAL', GROUPC_GLOBAL), ('GROUPC_GLOBAL', GROUPD_GLOBAL), ('GROUPD_GLOBAL', GROUPE_GLOBAL), ('GROUPE_GLOBAL', GROUPF_GLOBAL), ('GROUPF_GLOBAL', GROUPG_GLOBAL), ('GROUPG_GLOBAL', GROUPH_GLOBAL), ('GROUPH_GLOBAL', DEEPUSER_GLOBAL) ]: grp.create(properties={ 'cn': i[0], 'ou': 'groups', 'uniquemember': i[1] })
def moddn_setup(topology_m2): """Creates - a staging DIT - a production DIT - add accounts in staging DIT - enable ACL logging (commented for performance reason) """ m1 = topology_m2.ms["supplier1"] o_roles = OrganizationalRoles(m1, SUFFIX) m1.log.info("\n\n######## INITIALIZATION ########\n") # entry used to bind with m1.log.info("Add {}".format(BIND_DN)) user = UserAccount(m1, BIND_DN) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'sn': BIND_RDN, 'cn': BIND_RDN, 'uid': BIND_RDN, 'userpassword': BIND_PW}) user.create(properties=user_props, basedn=SUFFIX) # Add anonymous read aci ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = " userdn = \"ldap:///anyone\";)" ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(m1, SUFFIX) suffix.add('aci', ACI_BODY) # DIT for staging m1.log.info("Add {}".format(STAGING_DN)) o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"}) # DIT for production m1.log.info("Add {}".format(PRODUCTION_DN)) o_roles.create(properties={'cn': PRODUCTION_CN, 'description': "production DIT"}) # DIT for production/except m1.log.info("Add {}".format(PROD_EXCEPT_DN)) o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN) o_roles_prod.create(properties={'cn': EXCEPT_CN, 'description': "production except DIT"}) # enable acl error logging # mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')] # m1.modify_s(DN_CONFIG, mod) # topology_m2.ms["supplier2"].modify_s(DN_CONFIG, mod) # add dummy entries in the staging DIT staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN)) user_props = TEST_USER_PROPERTIES.copy() for cpt in range(MAX_ACCOUNTS): name = "{}{}".format(NEW_ACCOUNT, cpt) user_props.update({'sn': name, 'cn': name, 'uid': name}) staging_users.create(properties=user_props)
def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user): """ User can access the data when connecting from certain network only as per the ACI. :id: 4ec38296-7ac5-11e8-9816-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Turn access log buffering off to make less time consuming topo.standalone.config.set('nsslapd-accesslog-logbuffering', 'off') # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances. # Wait till Access Log is generated topo.standalone.restart() hostname = socket.gethostname() IP = socket.gethostbyname(hostname) # Add ACI domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.add( "aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; ' f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)' ) # create a new connection for the test conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, IP_OU_KEY) org.replace("seeAlso", "cn=1") # remove the aci domain.ensure_removed( "aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci ' f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ' f'(ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)') # Now add aci with new ip domain.add( "aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; ' f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)' ) # After changing the ip user cant access data with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def password_policy(topology_st): """Set global password policy""" log.info('Enable global password policy. Check for syntax.') topology_st.standalone.config.set('passwordCheckSyntax', 'on') topology_st.standalone.config.set('nsslapd-pwpolicy-local', 'off') topology_st.standalone.config.set('passwordMinCategories', '1') # Add self user modification and anonymous aci USER_SELF_MOD_ACI = '(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)' ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)" suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX) suffix.add('aci', USER_SELF_MOD_ACI) suffix.add('aci', ANON_ACI)
def add_anon_aci_access(topo, request): # Add anonymous access aci ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass def fin(): suffix.delete() request.addfinalizer(fin)
def test_connection_from_an_unauthorized_network(topo, add_user, aci_of_user): """ User cannot access the data when connectin from an unauthorized network as per the ACI. :id: 52d1ecce-7ac5-11e8-9ad9-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ old_hostname = socket.gethostname() socket.sethostname('localhost') hostname = socket.gethostname() # Add ACI domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "IP aci"; ' f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" ' f'and (ip != "127.0.0.1" and ip != "::1") ;)') # create a new connection for the test new_uri = topo.standalone.ldapuri.replace(old_hostname, hostname) topo.standalone.ldapuri = new_uri conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM) # Perform Operation topo.standalone.config.set('nsslapd-errorlog-level', '128') org = OrganizationalUnit(conn, IP_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1") # Remove the ACI domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1]) # Add new ACI domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")' f'(version 3.0; aci "IP aci"; allow(all) ' f'userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1") ;)') time.sleep(1) # now user can access data org.replace("seeAlso", "cn=1")
def finofaci(): """ Removes and Restores ACIs and other users after the test. """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.remove_all('aci') managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for i in managed_roles.list() + nested_roles.list() + users.list(): i.delete() for i in aci_list: domain.add("aci", i)
def test_aci_invalid_syntax(topo, real_value): """ Try to set wrong ACI syntax. :id: d544d09a-6ed1-11e8-8872-8c16451d917b :setup: Standalone Instance :steps: 1. Create ACI 2. Try to setup the ACI with Instance :expectedresults: 1. It should pass 2. It should not pass """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) with pytest.raises(ldap.INVALID_SYNTAX): domain.add("aci", real_value)
def test_group_aci_entry_exists(topo,create_user): """This test case adds the groupdn aci and check ger contains 'vadn' :id: 1d73f715-e4b3-4ed6-a93b-9d529898ca78 :setup: Standalone instance :steps: 1. Create a group. 2. Add the user as member into the group. 3. Apply the ACI which will give the group full rights. 4. Check entryLevelRights value for entries. 5. Check 'vadn' is in the entryLevelRights. :expectedresults: 1. It should pass 2. It should pass 3. It should pass 4. It should pass 5. It should pass """ (test_user,request_ctrl) = create_user log.info('Adding group {}'.format(TEST_GROUP_NAME)) groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None) group_properties = { 'cn': TEST_GROUP_NAME, 'description': 'testgroup'} test_group = groups.create(properties=group_properties) test_group.add_member(test_user.dn) suffix = Domain(topo.standalone, DEFAULT_SUFFIX) ACI_TARGET = '(targetattr="*")' ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")' ACI_ALLOW = '(version 3.0; acl "give group1 full rights"; allow (all) ' ACI_SUBJECT = 'groupdn = "ldap:///{}";)'.format(test_group.dn) ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT log.info("Add an ACI granting add access to a user matching the groupdn") suffix.add('aci', ACI_BODY) entries = topo.standalone.search_ext('{}'.format(test_user.dn), ldap.SCOPE_SUBTREE, "objectclass=person", serverctrls=[request_ctrl]) rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries) for dn, attrs in rdata: topo.standalone.log.info("dn: %s" % dn) value = attrs['entryLevelRights'][0] topo.standalone.log.info("######## entryLevelRights: %r" % value) assert b'vadn' in value
def test_aci_invalid_syntax_fail(topo, real_value): """ Try to set wrong ACI syntax. :id: 83c40784-fff5-49c8-9535-7064c9c19e7e :parametrized: yes :setup: Standalone Instance :steps: 1. Create ACI 2. Try to setup the ACI with Instance :expectedresults: 1. It should pass 2. It should not pass """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) with pytest.raises(ldap.INVALID_SYNTAX): domain.add("aci", real_value)
def test_aci_invalid_syntax(topo, real_value): """ Try to set wrong ACI syntax. :id: e8bf20b6-48be-4574-8300-056e42a0f0a8 :parametrized: yes :setup: Standalone Instance :steps: 1. Create ACI 2. Try to setup the ACI with Instance :expectedresults: 1. It should pass 2. It should not pass """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) with pytest.raises(ldap.INVALID_SYNTAX): domain.add("aci", real_value)
def test_target_set_above_the_entry_test(topo): """ Try to set wrong ACI syntax. :id: d544d09a-6ed1-11e8-8872-8c16451d917b :setup: Standalone Instance :steps: 1. Create ACI 2. Try to setup the ACI with Instance :expectedresults: 1. It should pass 2. It should not pass """ domain = Domain(topo.standalone, "ou=People,{}".format(DEFAULT_SUFFIX)) with pytest.raises(ldap.INVALID_SYNTAX): domain.add( "aci", f'(target = ldap:///{DEFAULT_SUFFIX})' f'(targetattr=*)(version 3.0; acl "Name of the ACI"; deny absolute ' f'(all)userdn="ldap:///anyone";)')
def finofaci(): """ Removes and Restores ACIs and other users after the test. And restore nsslapd-ignore-virtual-attrs to default """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.remove_all('aci') managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for i in managed_roles.list() + nested_roles.list() + users.list(): i.delete() for i in aci_list: domain.add("aci", i) topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_group_aci_template_entry(topo,create_user): """This test case adds the groupdn aci and check ger contains 'vadn' :id: 714c8649-36b6-4e28-a4c5-4b16ede4355f :setup: Standalone instance :steps: 1. Apply the ACI which will give the user full rights. 2. Check entryLevelRights value for a non-existing template entry. 3. Check 'vadn' is in the entryLevelRights of the non-existing template entry. :expectedresults: 1. It should pass 2. It should pass 3. It should pass """ (test_user, request_ctrl) = create_user suffix = Domain(topo.standalone, DEFAULT_SUFFIX) ACI_TARGET = '(targetattr="*")' ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")' ACI_ALLOW = '(version 3.0; acl "allow all to target"; allow (all) ' ACI_SUBJECT = 'userdn = "ldap:///{}";)'.format(test_user.dn) ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT log.info("Add an ACI granting add access to a user matching the userdn") suffix.add('aci', ACI_BODY) entries = topo.standalone.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "cn=sub_entry11", ["sn@person:cn", "member@groupofnames:cn"], serverctrls=[request_ctrl]) rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries) for dn, attrs in rdata: if dn == 'cn=template_person_objectclass,dc=example,dc=com': topo.standalone.log.info("dn: %s" % dn) value = attrs['entryLevelRights'][0] topo.standalone.log.info("######## entryLevelRights: %r" % value) assert b'vadn' in value elif dn == 'cn=template_groupofnames_objectclass,dc=example,dc=com': topo.standalone.log.info("dn: %s" % dn) value = attrs['entryLevelRights'][0] topo.standalone.log.info("######## entryLevelRights: %r" % value) assert b'vadn' not in value else: assert False
def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user): """ User cannot access the data when connectin from an unauthorized network as per the ACI. :id:52d1ecce-7ac5-11e8-9ad9-8c16451d917b :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances. ip_ip = topo.standalone.ds_access_log.match( '.* connection from ')[0].split()[-1] # Add ACI domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.add( "aci", f'(target = "ldap:///{IP_OU_KEY}")' f'(targetattr=*)(version 3.0; aci "IP aci"; ' f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" ' f'and ip != "{ip_ip}" ;)') # create a new connection for the test conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, IP_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1") # Remove the ACI domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1]) # Add new ACI domain.add( 'aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)' f'(version 3.0; aci "IP aci"; allow(all) ' f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)') # now user can access data org.replace("seeAlso", "cn=1")
def test_timeofday_keyword(topo, add_user, aci_of_user): """ User NOWORKER_KEY can access the data as per the ACI after removing ACI it cant. :id: 681dd58e-7ac5-11e8-bed1-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ now = time.strftime("%c") now_1 = "".join(now.split()[3].split(":"))[:4] # Add ACI domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.add( "aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Timeofday aci"; ' f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" ' f'and timeofday = \'{now_1}\' ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY) org.replace("seeAlso", "cn=1") # Remove ACI aci = domain.get_attr_vals_utf8('aci')[-1] domain.ensure_removed('aci', aci) assert aci not in domain.get_attr_vals_utf8('aci') # after removing the ACI user cannot access the data time.sleep(1) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def aci_of_user(request, topo): # Add anonymous access aci ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass aci_list = suffix.get_attr_vals('aci') def finofaci(): domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.set('aci', None) for i in aci_list: domain.add("aci", i) request.addfinalizer(finofaci)
def finofaci(): domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.set('aci', None) for i in aci_list: domain.add("aci", i)
def test_managed_entry_removal(topo): """Check that we can't remove managed entry manually :id: cf9c5be5-97ef-46fc-b199-8346acf4c296 :setup: Standalone Instance :steps: 1. Enable the plugin 2. Restart the instance 3. Add our org units 4. Set up config entry and template entry for the org units 5. Add an entry that meets the MEP scope 6. Check if a managed group entry was created 7. Try to remove the entry while bound as Admin (non-DM) 8. Remove the entry while bound as DM 9. Check that the managing entry can be deleted too :expectedresults: 1. Success 2. Success 3. Success 4. Success 5. Success 6. Success 7. Should fail 8. Success 9. Success """ inst = topo.standalone # Add ACI so we can test that non-DM user can't delete managed entry domain = Domain(inst, DEFAULT_SUFFIX) ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")" ACI_TARGETATTR = "(targetattr = *)" ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) " ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)" ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT domain.add('aci', ACI_BODY) # stop the plugin, and start it plugin = ManagedEntriesPlugin(inst) plugin.disable() plugin.enable() # Add our org units ous = OrganizationalUnits(inst, DEFAULT_SUFFIX) ou_people = ous.create(properties={'ou': 'managed_people'}) ou_groups = ous.create(properties={'ou': 'managed_groups'}) mep_templates = MEPTemplates(inst, DEFAULT_SUFFIX) mep_template1 = mep_templates.create( properties={ 'cn': 'MEP template', 'mepRDNAttr': 'cn', 'mepStaticAttr': 'objectclass: groupOfNames|objectclass: extensibleObject'.split( '|'), 'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|') }) mep_configs = MEPConfigs(inst) mep_configs.create( properties={ 'cn': 'config', 'originScope': ou_people.dn, 'originFilter': 'objectclass=posixAccount', 'managedBase': ou_groups.dn, 'managedTemplate': mep_template1.dn }) inst.restart() # Add an entry that meets the MEP scope test_users_m1 = UserAccounts(inst, DEFAULT_SUFFIX, rdn='ou={}'.format(ou_people.rdn)) managing_entry = test_users_m1.create_test_user(1001) managing_entry.reset_password(USER_PASSWORD) user_bound_conn = managing_entry.bind(USER_PASSWORD) # Get the managed entry managed_groups = Groups(inst, ou_groups.dn, rdn=None) managed_entry = managed_groups.get(managing_entry.rdn) # Check that the managed entry was created assert managed_entry.exists() # Try to remove the entry while bound as Admin (non-DM) managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None) managed_entry_user_conn = managed_groups_user_conn.get(managed_entry.rdn) with pytest.raises(ldap.UNWILLING_TO_PERFORM): managed_entry_user_conn.delete() assert managed_entry_user_conn.exists() # Remove the entry while bound as DM managed_entry.delete() assert not managed_entry.exists() # Check that the managing entry can be deleted too managing_entry.delete() assert not managing_entry.exists()
def test_managedrole(topo, request): """Test Managed Role :id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. Search managed role entries :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Create Managed role entry roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX) role = roles.create(properties={"cn": 'ROLE1'}) # Create user and Assign the role to the entry uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) uas.create( properties={ 'uid': 'Fail', 'cn': 'Fail', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Fail', 'nsRoleDN': role.dn, 'userPassword': PW_DM }) # Create user and do not Assign any role to the entry uas.create( properties={ 'uid': 'Success', 'cn': 'Success', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Success', 'userPassword': PW_DM }) # Assert that Manage role entry is created and its searchable assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \ == 'cn=ROLE1,dc=example,dc=com' # Set an aci that will deny ROLE1 manage role Domain(topo.standalone, DEFAULT_SUFFIX).\ add('aci', '(targetattr="*")(version 3.0; aci "role aci";' ' deny(all) roledn="ldap:///{}";)'.format(role.dn),) # Add self user modification and anonymous aci ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)" suffix = Domain(topo.standalone, DEFAULT_SUFFIX) suffix.add('aci', ANON_ACI) # Crate a connection with cn=Fail which is member of ROLE1 conn = UserAccount(topo.standalone, "uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # Access denied to ROLE1 members assert not ManagedRoles(conn, DEFAULT_SUFFIX).list() # Now create a connection with cn=Success which is not a member of ROLE1 conn = UserAccount(topo.standalone, "uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM) # Access allowed here assert ManagedRoles(conn, DEFAULT_SUFFIX).list() for i in uas.list(): i.delete() for i in roles.list(): i.delete() def fin(): topo.standalone.restart() try: role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1') role.delete() except: pass topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on') request.addfinalizer(fin)
def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup): """This test checks mode legacy : GER with moddn :id: 37c1e537-1b5d-4fab-b62a-50cd8c5b3493 :setup: MMR with two suppliers, M1 - staging DIT M2 - production DIT add test accounts in staging DIT :steps: 1. Disable ACI checks - set nsslapd-moddn-aci: off 2. Add moddn ACI on M1 3. Search for GER controls on M1 4. Check entryLevelRights value for entries 5. Check 'n' is in the entryLevelRights 6. Try MOD with the both ACI :expectedresults: 1. It should pass 2. It should pass 3. It should pass 4. It should pass 5. It should pass 6. It should pass """ suffix = Domain(topology_m2.ms["supplier1"], SUFFIX) topology_m2.ms["supplier1"].log.info("\n\n######## Disable the moddn aci mod ########\n") _bind_manager(topology_m2) topology_m2.ms["supplier1"].config.set(CONFIG_MODDN_ACI_ATTR, 'off') topology_m2.ms["supplier1"].log.info("\n\n######## mode legacy : GER with moddn ########\n") # being allowed to read/write the RDN attribute use to allow the RDN ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"uid\")" % (PRODUCTION_DN) ACI_ALLOW = "(version 3.0; acl \"MODDN production changing the RDN attribute\"; allow (read,search,write)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT # successful MOD with the ACI _bind_manager(topology_m2) suffix.add('aci', ACI_BODY) _bind_normal(topology_m2) request_ctrl = GetEffectiveRightsControl(criticality=True, authzId=ensure_bytes("dn: " + BIND_DN)) msg_id = topology_m2.ms["supplier1"].search_ext(PRODUCTION_DN, ldap.SCOPE_SUBTREE, "objectclass=*", serverctrls=[request_ctrl]) rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id) # ger={} value = '' for dn, attrs in rdata: topology_m2.ms["supplier1"].log.info("dn: %s" % dn) value = attrs['entryLevelRights'][0] topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value) assert b'n' in value # successful MOD with the both ACI _bind_manager(topology_m2) suffix.remove('aci', ACI_BODY)
def test_info_disclosure(request, topo): """Test that a search returns 32 when base entry does not exist :id: f6dec4c2-65a3-41e4-a4c0-146196863333 :setup: Standalone Instance :steps: 1. Add aci 2. Add test user 3. Bind as user and search for non-existent entry :expectedresults: 1. Success 2. Success 3. Error 32 is returned """ ACI_TARGET = "(targetattr = \"*\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Read/Search permission for all users\"; allow (read,search)" ACI_SUBJECT = "(userdn=\"ldap:///all\");)" ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT # Get current ACi's so we can restore them when we are done suffix = Domain(topo.standalone, DEFAULT_SUFFIX) preserved_acis = suffix.get_attr_vals_utf8('aci') def finofaci(): domain = Domain(topo.standalone, DEFAULT_SUFFIX) try: domain.remove_all('aci') domain.replace_values('aci', preserved_acis) except: pass request.addfinalizer(finofaci) # Remove aci's suffix.remove_all('aci') # Add test user USER_DN = "uid=test,ou=people," + DEFAULT_SUFFIX users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) users.create( properties={ 'uid': 'test', 'cn': 'test', 'sn': 'test', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/test', 'userPassword': PW_DM }) # bind as user conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) # Search fo existing base DN test = Domain(conn, DEFAULT_SUFFIX) try: test.get_attr_vals_utf8_l('dc') assert False except IndexError: pass # Search for a non existent bases subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX) try: subtree.get_attr_vals_utf8_l('objectclass') except IndexError: pass subtree = Domain( conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX) try: subtree.get_attr_vals_utf8_l('objectclass') except IndexError: pass # Try ONE level search instead of BASE try: Accounts(conn, "ou=does_not_exist," + DEFAULT_SUFFIX).filter( "(objectclass=top)", scope=ldap.SCOPE_ONELEVEL) except IndexError: pass # add aci suffix.add('aci', ACI) # Search for a non existent entry which should raise an exception with pytest.raises(ldap.NO_SUCH_OBJECT): conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX) subtree.get_attr_vals_utf8_l('objectclass') with pytest.raises(ldap.NO_SUCH_OBJECT): conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) subtree = Domain( conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX) subtree.get_attr_vals_utf8_l('objectclass') with pytest.raises(ldap.NO_SUCH_OBJECT): conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) DN = "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX Accounts(conn, DN).filter("(objectclass=top)", scope=ldap.SCOPE_ONELEVEL, strict=True)
def password_policy(topology_st): """Set up password policy Create a Password Admin entry; Set up password policy attributes in config; Add an aci to give everyone full access; Test that the setup works """ log.info('test_pwdAdmin_init: Creating Password Administrator entries...') users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) groups = Groups(topology_st.standalone, DEFAULT_SUFFIX) # Add Password Admin 1 admin1_user = users.create( properties={ 'uid': 'admin1', 'cn': 'admin1', 'sn': 'strator', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/admin1', 'userPassword': ADMIN_PWD }) # Add Password Admin 2 admin2_user = users.create( properties={ 'uid': 'admin2', 'cn': 'admin2', 'sn': 'strator', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/admin2', 'userPassword': ADMIN_PWD }) # Add Password Admin Group admin_group = groups.create(properties={'cn': 'password admin group'}) admin_group.add_member(admin1_user.dn) admin_group.add_member(admin2_user.dn) # Configure password policy log.info('test_pwdAdmin_init: Configuring password policy...') topology_st.standalone.config.replace_many( ('nsslapd-pwpolicy-local', 'on'), ('passwordCheckSyntax', 'on'), ('passwordMinCategories', '1'), ('passwordMinTokenLength', '2'), ('passwordExp', 'on'), ('passwordMinDigits', '1'), ('passwordMinSpecials', '1')) # # Add an aci to allow everyone all access (just makes things easier) # log.info('Add aci to allow password admin to add/update entries...') domain = Domain(topology_st.standalone, DEFAULT_SUFFIX) ACI_TARGET = "(target = \"ldap:///%s\")" % SUFFIX ACI_TARGETATTR = "(targetattr = *)" ACI_ALLOW = "(version 3.0; acl \"Password Admin Access\"; allow (all) " ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)" ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT domain.add('aci', ACI_BODY) # # Bind as the future Password Admin # log.info( 'test_pwdAdmin_init: Bind as the Password Administrator (before activating)...' ) admin_conn = admin1_user.bind(ADMIN_PWD) # # Setup our test entry, and test password policy is working # # Connect up an admin authed users connection. admin_users = UserAccounts(admin_conn, DEFAULT_SUFFIX) # # Start by attempting to add an entry with an invalid password # log.info( 'test_pwdAdmin_init: Attempt to add entries with invalid passwords, these adds should fail...' ) for passwd in INVALID_PWDS: with pytest.raises(ldap.CONSTRAINT_VIOLATION): admin_users.create( properties={ 'uid': 'example', 'cn': 'example', 'sn': 'example', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/example', 'userPassword': passwd }) return (admin_group, admin1_user, admin2_user)
def test_aci_with_exclude_filter(topo, add_anon_aci_access): """Test an ACI(Access control instruction) which contains an extensible filter. :id: 238da674-81d9-11eb-a965-98fa9ba19b65 :setup: Standalone instance :steps: 1. Bind to a new Standalone instance 2. Generate text for the Access Control Instruction(ACI) and add to the standalone instance -Create a test user 'admin' with a marker -> deniedattr = 'telephonenumber' 3. Create 2 top Organizational units (ou) under the same root suffix 4. Create 2 test users for each Organizational unit (ou) above with the same username 'admin' 5. Bind to the Standalone instance as the user 'admin' from the ou created in step 4 above - Search for user(s) ' admin in the subtree that satisfy this criteria: DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, cn_filter, [deniedattr, 'dn'] 6. The search should return 2 entries with the username 'admin' 7. Verify that the users found do not have the --> deniedattr = 'telephonenumber' marker :expectedresults: 1. Bind should be successful 2. Operation to create 2 Orgs (ou) should be successful 3. Operation to create 2 (admin*) users should be successful 4. Operation should be successful. 5. Operation should be successful 6. Should successfully return 2 users that match "admin*" 7. PASS - users found do not have the --> deniedattr = 'telephonenumber' marker """ log.info('Create an OU for them') ous = OrganizationalUnit(topo.standalone, DEFAULT_SUFFIX) log.info('Create an top org users') users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) log.info('Add aci which contains extensible filter.') ouname = 'outest' username = '******' passwd = 'Password' deniedattr = 'telephonenumber' log.info('Add aci which contains extensible filter.') aci_text = ('(targetattr = "{}")'.format(deniedattr) + '(target = "ldap:///{}")'.format(DEFAULT_SUFFIX) + '(version 3.0;acl "admin-tel-matching-rule-outest";deny (all)' + '(userdn = "ldap:///{}??sub?(&(cn={})(ou:dn:={}))");)'.format(DEFAULT_SUFFIX, username, ouname)) suffix = Domain(topo.standalone, DEFAULT_SUFFIX) suffix.add('aci', aci_text) log.info('Adding OU entries ...') for idx in range(0, 2): ou0 = 'OU%d' % idx log.info('Adding "ou" : %s under "dn" : %s...' % (ou0, DEFAULT_SUFFIX)) add_ou_entry(topo, ou0, DEFAULT_SUFFIX) parent = 'ou=%s,%s' % (ou0, DEFAULT_SUFFIX) log.info('Adding %s under %s...' % (ouname, parent)) add_ou_entry(topo, ouname, parent) user = UserAccounts(topo.standalone, parent, rdn=None) for idx in range(0, 2): parent = 'ou=%s,ou=OU%d,%s' % (ouname, idx, DEFAULT_SUFFIX) user = UserAccounts(topo.standalone, parent, rdn=None) username = '******'.format(username, idx) log.info('Adding User: %s under %s...' % (username, parent)) user = add_user_entry(topo, user, username, passwd, parent) log.info('Bind as user %s' % username) binddn_user = user.get(username) conn = binddn_user.bind(passwd) if not conn: log.error(" {} failed to authenticate: ".format(binddn_user)) assert False cn_filter = '(cn=%s)' % username entries = Accounts(conn, DEFAULT_SUFFIX).filter('(cn=admin*)') log.info('Verify 2 Entries returned for cn {}'.format(cn_filter)) assert len(entries) == 2 for entry in entries: assert not entry.get_attr_val_utf8('telephonenumber') log.info("Verified the entries do not contain 'telephonenumber' ") log.info('Test complete')