def test_quota_pam(self):
with TempFilesystem(self.quota_type, fs_type=self.fs_type) as tfs, udm_test.UCSTestUDM() as udm:
quota_policy = {
"inodeSoftLimit": '10',
"inodeHardLimit": '15',
"spaceSoftLimit": str(1024 ** 2),
"spaceHardLimit": str(2048 ** 2),
"reapplyQuota": 'TRUE',
"name": uts.random_name(),
}
self._activate_quota(tfs.loop_dev)
print("Create Share")
share = udm.create_object(
'shares/share', name=self.share_name, path=tfs.mount_point, host=self.my_fqdn, directorymode="0777"
)
utils.wait_for_replication_and_postrun()
qc.cache_must_exists(share)
print("Create user")
udm.create_user(username=self.username, check_for_drs_replication=False, wait_for=False)
print("Create quota policy")
policy = self.create_quota_policy(udm, quota_policy)
print("Append quota policy")
udm.modify_object("shares/share", dn=share, policy_reference=policy)
utils.wait_for_replication_and_postrun()
qc.check_values(
share,
quota_policy["inodeSoftLimit"],
quota_policy["inodeHardLimit"],
quota_policy["spaceSoftLimit"],
quota_policy["spaceHardLimit"],
quota_policy["reapplyQuota"]
)
self.touch_file(tfs.mount_point)
self._check_quota_settings(tfs.loop_dev)
def test_udm_users_ldap_mspolicy(udm, ucr, module):
# bugs: [52446]
"""Test mspolicy password functionality"""
from univention.config_registry import handler_set
handler_set(['password/quality/mspolicy=true'])
attr = {'name': uts.random_username(), 'pwQualityCheck': 'TRUE'}
pol_dn = udm.create_object('policies/pwhistory',
wait_for_replication=True,
check_for_drs_replication=True,
wait_for=True,
**attr)
utils.wait_for_replication_and_postrun()
name = "%s_test1" % (uts.random_username())
attr = {
'password': '******',
'username': name,
'lastname': 'test',
'policy_reference': pol_dn
}
dn = udm.create_object(module,
wait_for_replication=True,
check_for_drs_replication=True,
wait_for=True,
**attr)
with pytest.raises(udm_test.UCSTestUDM_ModifyUDMObjectFailed):
udm.modify_object(module, dn=dn, password='******')
with pytest.raises(udm_test.UCSTestUDM_ModifyUDMObjectFailed):
udm.modify_object(module, dn=dn, password='******' % (name, ))
if module == 'users/user':
with pytest.raises(udm_test.UCSTestUDM_ModifyUDMObjectFailed):
udm.modify_object(module, dn=dn, password='******')
def add_printer(name, school, hostname, domainname, ldap_base):
# account = utils.UCSTestDomainAdminCredentials()
# adminuid = account.binddn
# passwd = account.bindpw
# adminuid = 'uid=Administrator,cn=users,dc=najjar,dc=local'
# passwd = 'univention'
cmd_add_printer = [
'udm', 'shares/printer', 'create', '--position',
'cn=printers,ou=%(school)s,%(ldap_base)s', '--set', 'name=%(name)s',
'--set', 'spoolHost=%(hostname)s.%(domainname)s', '--set',
'uri="file:// /tmp/%(name)s.printer"', '--set', 'model=None',
'--binddn', 'uid=Administrator,cn=users,%(ldap_base)s', '--bindpwd',
'univention'
]
print run_commands(
[cmd_add_printer], {
'name': name,
'school': school,
'hostname': hostname,
'domainname': domainname,
'ldap_base': ldap_base,
})
utils.wait_for_replication_and_postrun()
# give the CUPS and Samba server a little bit more time
time.sleep(15)
def test_two_shares_on_one_mount(self, quota_policies, expected_result):
with TempFilesystem(self.quota_type, fs_type=self.fs_type) as tfs, udm_test.UCSTestUDM() as udm:
self._activate_quota(tfs.loop_dev)
print("Create Shares")
share1_path = os.path.join(tfs.mount_point, self.share_name)
share2_path = os.path.join(tfs.mount_point, self.share_name2)
os.mkdir(share1_path)
os.mkdir(share2_path)
share1 = udm.create_object(
'shares/share', name=self.share_name, path=share1_path, host=self.my_fqdn, directorymode="0777"
)
share2 = udm.create_object(
'shares/share', name=self.share_name2, path=share2_path, host=self.my_fqdn, directorymode="0777"
)
utils.wait_for_replication_and_postrun()
qc.cache_must_exists(share1)
qc.cache_must_exists(share2)
print("Create user")
udm.create_user(username=self.username, check_for_drs_replication=False)
print("Create quota policies")
policies = []
for quota_policy in quota_policies:
policies.append(self.create_quota_policy(udm, quota_policy))
print("Append quota policies")
udm.modify_object("shares/share", dn=share1, policy_reference=policies[0])
udm.modify_object("shares/share", dn=share2, policy_reference=policies[1])
utils.wait_for_replication_and_postrun()
self.touch_file(tfs.mount_point)
self._check_quota_settings(tfs.loop_dev, expected_result)
def test_indirect_group_user_memberships_file_access(udm):
"""Access file as user of nested group of group of files owner"""
# TODO: test the opposite, reading is prevented by a user not in those groups
group = udm.create_group()[0]
nested_group = udm.create_group(memberOf=group)[0]
file_owner = udm.create_user(primaryGroup=group)
another_user = udm.create_user(groups=nested_group)
utils.wait_for_replication_and_postrun()
utils.wait_for_replication_and_postrun()
# create file as user "file_owner" and change permissions to 060 (read/write group only)
with tempfile.NamedTemporaryFile("w+", dir='/var/tmp') as fd:
fd.write('foo')
fd.flush()
os.remove(fd.name)
assert not os.path.exists(fd.name)
subprocess.check_call([
'su', file_owner[1], '-c',
'touch %(file)s; chmod 070 %(file)s' % {
'file': fd.name
}
])
# test reading as "another_user"
subprocess.check_call(
['su', another_user[1], '-c',
'cat %s' % fd.name])
# test writing as "another_user"
subprocess.check_call(
['su', another_user[1], '-c',
'touch %s' % fd.name])
def test_quota_pam(self):
with TempFilesystem(
self.quota_type,
fs_type=self.fs_type) as tfs, udm_test.UCSTestUDM() as udm:
self._activate_quota(tfs.loop_dev)
print("Create Share")
share = udm.create_object('shares/share',
name=self.share_name,
path=tfs.mount_point,
host=self.my_fqdn,
directorymode="0777")
utils.wait_for_replication_and_postrun()
qc.cache_must_exists(share)
print("Create user")
udm.create_user(username=self.username,
check_for_drs_replication=False)
print("Create quota policy")
policy = udm.create_object(
'policies/share_userquota',
position=self.quota_policy["position"],
name=self.quota_policy["name"],
softLimitSpace=self.quota_policy["spaceSoftLimit"],
hardLimitSpace=self.quota_policy["spaceHardLimit"],
softLimitInodes=self.quota_policy["inodeSoftLimit"],
hardLimitInodes=self.quota_policy["inodeHardLimit"],
reapplyeverylogin=self.quota_policy["reapplyQuota"],
)
print("Append quota policy")
udm.modify_object("shares/share",
dn=share,
policy_reference=policy)
utils.wait_for_replication_and_postrun()
qc.check_values(share, self.quota_policy["inodeSoftLimit"],
self.quota_policy["inodeHardLimit"],
self.quota_policy["spaceSoftLimit"],
self.quota_policy["spaceHardLimit"],
self.quota_policy["reapplyQuota"])
print("Write file on filesystem as user: {}".format(self.username))
subprocess.check_call([
"sudo",
"--user",
self.username,
"touch",
os.path.join(tfs.mount_point, "foo"),
])
self._check_quota_settings(tfs.loop_dev)
def test_container_ou_recursive_removal_with_special_characters(self, udm):
"""Remove an container/ou recursively with special characters"""
ou_name = uts.random_name_special_characters()
ou2_name = uts.random_name_special_characters()
ou = udm.create_object('container/ou', name=ou_name)
ou2 = udm.create_object('container/ou', name=ou2_name)
ou3 = udm.create_object('container/ou',
name=uts.random_name_special_characters())
utils.wait_for_replication_and_postrun()
udm.move_object('container/ou', dn=ou, position=ou2)
udm.move_object('container/ou', dn=ou2, position=ou3)
ou = 'ou=%s,ou=%s,%s' % (ldap.dn.escape_dn_chars(ou_name),
ldap.dn.escape_dn_chars(ou2_name), ou3)
udm.remove_object('container/ou', dn=ou3)
utils.verify_ldap_object(ou, should_exist=False)
def test_invalid_zone_names(zone):
lo = utils.get_ldap_connection()
with udm_test.UCSTestUDM() as udm, _ucr.UCSTestConfigRegistry() as ucr:
pos = 'cn=dns,%s' % (udm.LDAP_BASE,)
dn = 'zoneName=%s,%s' % (ldap.dn.escape_dn_chars(zone), pos)
attrs = {
'nSRecord': ['%(hostname)s.%(domainname)s.'],
'objectClass': ['dNSZone', 'top'],
'dNSTTL': ['10800'],
'relativeDomainName': ['@'],
'zoneName': [zone],
'sOARecord': ['%(hostname)s.%(domainname)s. root.%(domainname)s. 9 28800 7200 604800 10800'],
}
al = [(key, [v % dict(ucr) for v in val]) for key, val in attrs.items()]
print(('Creating', dn))
lo.add(dn, al)
try:
utils.wait_for_replication_and_postrun()
check(zone)
lo.modify(dn, [('dNSTTL', '10800', '10900')])
utils.wait_for_replication_and_postrun()
check(zone)
finally:
lo.delete(dn)
utils.wait_for_replication_and_postrun()
check(zone, True)
def test_container_cn_rename_uppercase_rollback_with_special_characters(
self, udm, ucr):
"""Rename a container/cn with un-moveable subobjects from lower to upper case special characters"""
user_name = uts.random_string()
network_name = uts.random_string()
cn_name = uts.random_name_special_characters()
cn_name_new = cn_name.upper()
cn = udm.create_object('container/cn', name=cn_name)
wait_for_drs_replication(ldap.filter.filter_format('cn=%s', [cn_name]))
udm.create_user(position=cn, username=user_name)
udm.create_object('networks/network',
position=cn,
name=network_name,
network='1.1.1.1',
netmask='24')
with pytest.raises(udm_test.UCSTestUDM_ModifyUDMObjectFailed):
udm.modify_object('container/cn', dn=cn, name=cn_name_new)
utils.wait_for_replication_and_postrun()
new_cn = 'cn=%s,%s' % (ldap.dn.escape_dn_chars(cn_name_new),
ucr.get('ldap/base'))
new_user = '******' % (ldap.dn.escape_dn_chars(user_name),
ldap.dn.escape_dn_chars(cn_name_new),
ucr.get('ldap/base'))
utils.verify_ldap_object(new_cn, should_exist=True)
utils.verify_ldap_object(new_user, should_exist=True)
lo = utils.get_ldap_connection()
for dn, entry in lo.search(
filter=ldap.filter.filter_format('cn=%s', [cn_name])):
assert entry.get('cn')[0] == cn_name.encode(
'UTF-8'), 'cn = %s; expected: %s' % (entry.get('cn')[0],
cn_name)
def test_filename_validation(modify, prefix, path, position, attr, ocs, name):
lo = utils.get_ldap_connection()
with udm_test.UCSTestUDM() as udm:
pos = '%s,%s' % (
position,
udm.LDAP_BASE,
)
filename = filename_modify = '%s%s%s' % (prefix, name,
strings.random_string())
if modify:
dn_modify = '%s=%s,%s' % (attr, ldap.dn.escape_dn_chars(filename),
pos)
filename = filename.replace('/', '').replace('.', '')
dn = '%s=%s,%s' % (attr, ldap.dn.escape_dn_chars(filename), pos)
fullpath = os.path.join(path, filename)
fullpath_modify = os.path.join(path, filename_modify)
attrs = {
attr: [filename],
'cn': [filename],
'objectClass': ['top', 'univentionObjectMetadata', ocs],
'univentionOwnedByPackage': ['foo'],
'univentionOwnedByPackageVersion': ['1'],
attr.replace('Filename', 'Data'): [
bz2.compress(
'\n' if modify else
'root:$6$5cAInBgG$7rdZuEujGK1QFoprcNspXsXHsymW3Txp0kDyHFsE.omI.3T0xek3KIneFPZ99Z8dwZnZ2I2O/Tk8x4mNNGSE4.:16965:0:99999:7:::'
)
],
attr.replace('Filename', 'Active'): ['TRUE'],
}
al = [(key, [v for v in val]) for key, val in attrs.items()]
print(('Creating', dn))
dn = lo.add(dn, al) or dn
try:
utils.wait_for_replication_and_postrun()
if modify:
assert os.path.exists(fullpath)
if ocs == 'univentionLDAPExtensionACL':
assert os.path.exists(fullpath + '.info')
print(('Modifying into', dn_modify))
dn = lo.modify(dn, [
(attr, filename, filename_modify),
('cn', filename, filename_modify),
]) or dn
print(('Modified', dn))
assert dn == dn_modify
utils.wait_for_replication_and_postrun()
# object was renamed (if modify). make sure the old files do not exists anymore.
assert not os.path.exists(fullpath_modify), err(fullpath_modify)
assert not os.path.exists(fullpath), err(fullpath)
if ocs == 'univentionLDAPExtensionACL':
assert not os.path.exists(fullpath + '.info'), err(fullpath +
'.info')
assert not os.path.exists(fullpath_modify +
'.info'), err(fullpath_modify +
'.info')
# create fake files and see if the listener would remove them.
with open(fullpath_modify, 'w') as fd:
fd.write('TEMP')
if ocs == 'univentionLDAPExtensionACL':
with open(fullpath_modify + '.info', 'w') as fd:
fd.write('TEMP')
finally:
lo.delete(dn)
utils.wait_for_replication_and_postrun()
assert os.path.exists(fullpath_modify), err(fullpath_modify)
assert 'TEMP' in err(fullpath_modify)
os.unlink(fullpath_modify)
if ocs == 'univentionLDAPExtensionACL':
assert os.path.exists(fullpath_modify +
'.info'), err(fullpath_modify)
assert 'TEMP' in err(fullpath_modify + '.info')
os.unlink(fullpath_modify + '.info')
def test_settings(self, school, user, user_dn, ip_address, ucr, client):
printer = uts.random_string()
# Create new workgroup and assign new internet rule to it
group = Workgroup(school, client, members=[user_dn])
group.create()
try:
global_domains = ['univention.de', 'google.de']
rule = InternetRule(typ='whitelist', domains=global_domains)
rule.define()
rule.assign(school, group.name, 'workgroup')
self.check_internetRules(client)
# Add new hardware printer
add_printer(printer, school, ucr.get('hostname'),
ucr.get('domainname'), ucr.get('ldap/base'))
# generate all the possible combinations for (rule, printmode, sharemode)
white_page = 'univention.de'
rules = ['none', 'Kein Internet', 'Unbeschränkt', 'custom']
printmodes = ['default', 'all', 'none']
sharemodes = ['all', 'home']
settings = itertools.product(rules, printmodes, sharemodes)
t = 120
utils.wait_for_replication()
# Testing loop
for i, (rule, printMode, shareMode) in enumerate(settings):
period = datetime.time.strftime(
(datetime.datetime.now() +
datetime.timedelta(0, t)).time(), '%H:%M')
print
print '*** %d -(internetRule, printMode, shareMode, period) = (%r, %r, %r, %r) ----------' % (
i, rule, printMode, shareMode, period)
new_settings = {
'customRule': white_page,
'printMode': printMode,
'internetRule': rule,
'shareMode': shareMode,
'period': period
}
self.aquire_room(client)
old_settings = self.get_room_settings(client)
self.set_room_settings(client, new_settings)
utils.wait_for_replication_and_postrun()
wait_for_s4connector()
# give the CUPS and Samba server a little bit more time
time.sleep(15)
# check if displayed values match
self.check_room_settings(client, new_settings)
# old_period = old_settings['period']
partial_old_settings = {
'period': old_settings['period'],
'printMode': old_settings['printMode'],
'shareMode': old_settings['shareMode'],
'internetRule': old_settings['internetRule']
}
self.check_behavior(partial_old_settings, new_settings, user,
ip_address, printer, white_page,
global_domains, ucr)
t += 60
finally:
group.remove()
remove_printer(printer, school, ucr.get('ldap/base'))
