def test_timeofday_keyword(topo, add_user, aci_of_user): """ User NOWORKER_KEY can access the data as per the ACI after removing ACI it cant. :id: 681dd58e-7ac5-11e8-bed1-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ now = time.strftime("%c") now_1 = "".join(now.split()[3].split(":"))[:4] # Add ACI domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.add( "aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Timeofday aci"; ' f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" ' f'and timeofday = \'{now_1}\' ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY) org.replace("seeAlso", "cn=1") # Remove ACI aci = domain.get_attr_vals_utf8('aci')[-1] domain.ensure_removed('aci', aci) assert aci not in domain.get_attr_vals_utf8('aci') # after removing the ACI user cannot access the data time.sleep(1) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_info_disclosure(request, topo): """Test that a search returns 32 when base entry does not exist :id: f6dec4c2-65a3-41e4-a4c0-146196863333 :setup: Standalone Instance :steps: 1. Add aci 2. Add test user 3. Bind as user and search for non-existent entry :expectedresults: 1. Success 2. Success 3. Error 32 is returned """ ACI_TARGET = "(targetattr = \"*\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Read/Search permission for all users\"; allow (read,search)" ACI_SUBJECT = "(userdn=\"ldap:///all\");)" ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT # Get current ACi's so we can restore them when we are done suffix = Domain(topo.standalone, DEFAULT_SUFFIX) preserved_acis = suffix.get_attr_vals_utf8('aci') def finofaci(): domain = Domain(topo.standalone, DEFAULT_SUFFIX) try: domain.remove_all('aci') domain.replace_values('aci', preserved_acis) except: pass request.addfinalizer(finofaci) # Remove aci's suffix.remove_all('aci') # Add test user USER_DN = "uid=test,ou=people," + DEFAULT_SUFFIX users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) users.create( properties={ 'uid': 'test', 'cn': 'test', 'sn': 'test', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/test', 'userPassword': PW_DM }) # bind as user conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) # Search fo existing base DN test = Domain(conn, DEFAULT_SUFFIX) try: test.get_attr_vals_utf8_l('dc') assert False except IndexError: pass # Search for a non existent bases subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX) try: subtree.get_attr_vals_utf8_l('objectclass') except IndexError: pass subtree = Domain( conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX) try: subtree.get_attr_vals_utf8_l('objectclass') except IndexError: pass # Try ONE level search instead of BASE try: Accounts(conn, "ou=does_not_exist," + DEFAULT_SUFFIX).filter( "(objectclass=top)", scope=ldap.SCOPE_ONELEVEL) except IndexError: pass # add aci suffix.add('aci', ACI) # Search for a non existent entry which should raise an exception with pytest.raises(ldap.NO_SUCH_OBJECT): conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX) subtree.get_attr_vals_utf8_l('objectclass') with pytest.raises(ldap.NO_SUCH_OBJECT): conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) subtree = Domain( conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX) subtree.get_attr_vals_utf8_l('objectclass') with pytest.raises(ldap.NO_SUCH_OBJECT): conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM) DN = "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX Accounts(conn, DN).filter("(objectclass=top)", scope=ldap.SCOPE_ONELEVEL, strict=True)