def test_timeofday_keyword(topo, add_user, aci_of_user):
"""
User NOWORKER_KEY can access the data as per the ACI after removing
ACI it cant.
:id: 681dd58e-7ac5-11e8-bed1-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
now = time.strftime("%c")
now_1 = "".join(now.split()[3].split(":"))[:4]
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
f'and timeofday = \'{now_1}\' ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
org.replace("seeAlso", "cn=1")
# Remove ACI
aci = domain.get_attr_vals_utf8('aci')[-1]
domain.ensure_removed('aci', aci)
assert aci not in domain.get_attr_vals_utf8('aci')
# after removing the ACI user cannot access the data
time.sleep(1)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_info_disclosure(request, topo):
"""Test that a search returns 32 when base entry does not exist
:id: f6dec4c2-65a3-41e4-a4c0-146196863333
:setup: Standalone Instance
:steps:
1. Add aci
2. Add test user
3. Bind as user and search for non-existent entry
:expectedresults:
1. Success
2. Success
3. Error 32 is returned
"""
ACI_TARGET = "(targetattr = \"*\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Read/Search permission for all users\"; allow (read,search)"
ACI_SUBJECT = "(userdn=\"ldap:///all\");)"
ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
# Get current ACi's so we can restore them when we are done
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
preserved_acis = suffix.get_attr_vals_utf8('aci')
def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
domain.remove_all('aci')
domain.replace_values('aci', preserved_acis)
except:
pass
request.addfinalizer(finofaci)
# Remove aci's
suffix.remove_all('aci')
# Add test user
USER_DN = "uid=test,ou=people," + DEFAULT_SUFFIX
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
users.create(
properties={
'uid': 'test',
'cn': 'test',
'sn': 'test',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/test',
'userPassword': PW_DM
})
# bind as user
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
# Search fo existing base DN
test = Domain(conn, DEFAULT_SUFFIX)
try:
test.get_attr_vals_utf8_l('dc')
assert False
except IndexError:
pass
# Search for a non existent bases
subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX)
try:
subtree.get_attr_vals_utf8_l('objectclass')
except IndexError:
pass
subtree = Domain(
conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX)
try:
subtree.get_attr_vals_utf8_l('objectclass')
except IndexError:
pass
# Try ONE level search instead of BASE
try:
Accounts(conn, "ou=does_not_exist," + DEFAULT_SUFFIX).filter(
"(objectclass=top)", scope=ldap.SCOPE_ONELEVEL)
except IndexError:
pass
# add aci
suffix.add('aci', ACI)
# Search for a non existent entry which should raise an exception
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX)
subtree.get_attr_vals_utf8_l('objectclass')
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
subtree = Domain(
conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX)
subtree.get_attr_vals_utf8_l('objectclass')
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
DN = "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX
Accounts(conn, DN).filter("(objectclass=top)",
scope=ldap.SCOPE_ONELEVEL,
strict=True)
