def automember_fixture(topo, request): # Create group groups = [] group_obj = Groups(topo.standalone, DEFAULT_SUFFIX) groups.append(group_obj.create(properties={'cn': 'testgroup'})) groups.append(group_obj.create(properties={'cn': 'testgroup2'})) groups.append(group_obj.create(properties={'cn': 'testgroup3'})) # Create test user user_accts = UserAccounts(topo.standalone, DEFAULT_SUFFIX) user = user_accts.create_test_user() # Create automember definitions and regex rules automember_prop = { 'cn': 'testgroup_definition', 'autoMemberScope': DEFAULT_SUFFIX, 'autoMemberFilter': 'objectclass=posixaccount', 'autoMemberDefaultGroup': groups[0].dn, 'autoMemberGroupingAttr': 'member:dn', } automembers = AutoMembershipDefinitions(topo.standalone) auto_def = automembers.create(properties=automember_prop) auto_def.add_regex_rule("regex1", groups[1].dn, include_regex=['cn=mark.*']) auto_def.add_regex_rule("regex2", groups[2].dn, include_regex=['cn=simon.*']) # Enable plugin automemberplugin = AutoMembershipPlugin(topo.standalone) automemberplugin.enable() topo.standalone.restart() return (user, groups)
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user): """Non-regression test for BUG 326000: MemberURL needs to be normalized :id: a5d172e6-7db8-11e8-aca7-8c16451d917b :setup: Standalone Instance :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX)) ou_ou.set( 'aci', '(targetattr= *)' '(version 3.0; acl "tester"; allow(all) ' 'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format( DEFAULT_SUFFIX)) groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE') groups.create( properties={ "cn": "DYNGROUP", "description": "DYNGROUP", 'objectClass': 'groupOfURLS', 'memberURL': "ldap:///ou=PEOPLE,{}??sub?" "(uid=test_user_2)".format(DEFAULT_SUFFIX) }) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]: user = uas.create_test_user(uid=demo1[0], gid=demo1[0]) user.replace_many(('description', demo1[1]), ('userPassword', PW_DM)) ##with normal aci conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM) harry = UserAccount(conn, uas.list()[1].dn) harry.add('sn', 'FRED') ##with abnomal aci dygrp = Group(topo.standalone, DYNGROUP) dygrp.remove( 'memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX)) dygrp.add( 'memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX)) harry.add('sn', 'Not FRED') for i in uas.list(): i.delete()
def add_group(server, cn, subtree): group = Groups(server, subtree, rdn=None) group.create( properties={ 'cn': "%s" % cn, 'member': ['uid=test_m1,%s' % SUBTREE_1, 'uid=test_m2,%s' % SUBTREE_1], 'description': 'group' })
def assert_data_present(inst): # Do we have the backend marker? d = Domain(inst, DEFAULT_SUFFIX) try: desc = d.get_attr_val_utf8('description') if desc == TEST_MARKER: return except: # Just reset everything. pass # Reset the backends bes = Backends(inst) try: be = bes.get(DEFAULT_SUFFIX) be.delete() except: pass be = bes.create(properties={ 'nsslapd-suffix': DEFAULT_SUFFIX, 'cn': 'userRoot', }) be.create_sample_entries('001004002') # Load our data # We can't use dbgen as that relies on local access :( # Add 40,000 groups groups = Groups(inst, DEFAULT_SUFFIX) for i in range(1, GROUP_MAX): rdn = 'group_{0:07d}'.format(i) groups.create(properties={ 'cn': rdn, }) # Add 60,000 users users = nsUserAccounts(inst, DEFAULT_SUFFIX) for i in range(1, USER_MAX): rdn = 'user_{0:07d}'.format(i) users.create( properties={ 'uid': rdn, 'cn': rdn, 'displayName': rdn, 'uidNumber': '%s' % i, 'gidNumber': '%s' % i, 'homeDirectory': '/home/%s' % rdn, 'userPassword': rdn, }) # Add the marker d.replace('description', TEST_MARKER)
def test_dsidm_config_sssd(topology_st, set_log_file): """ Test dsidm creation of sssd.conf content :id: 77812ba6-b133-40f4-91a7-13309618f24d :setup: Standalone instance :steps: 1. Run dsidm client_config sssd.conf 2. Enable MemberOfPlugin 3. Run dsidm client_config sssd.conf with allowed group :expectedresults: 1. Success 2. Success 3. Success """ standalone = topology_st.standalone sssd_content_list = [ 'Generated by 389 Directory Server - dsidm', 'id_provider = ldap', 'auth_provider = ldap', 'access_provider = ldap', 'chpass_provider = ldap', 'ldap_search_base = ' + DEFAULT_SUFFIX, 'ldap_uri = ' + standalone.ldapuri, 'ldap_user_member_of = memberof', 'ignore_group_members = False', '[sssd]', 'services = nss, pam, ssh, sudo', 'config_file_version = 2', 'domains = ldap', '[nss]', 'homedir_substring = /home' ] schema = 'ldap_schema = rfc2307' args = FakeArgs() args.allowed_group = None log.info('Create sssd.conf content') sssd_conf(standalone, DEFAULT_SUFFIX, log, args) log.info('Check if config creation was successful') check_value_in_log_and_reset(sssd_content_list, check_value=schema) log.info('Now we test allowed_group argument') log.info('Enable MemberOf plugin') plugin = MemberOfPlugin(standalone) plugin.enable() standalone.restart() log.info('Create test group') groups = Groups(standalone, DEFAULT_SUFFIX) test_group = groups.create(properties={ "cn": "new_group", "description": "testgroup" }) log.info('Create sssd.conf content with allowed group') filter_msg = [ 'ldap_access_filter = (memberOf={})'.format(test_group.dn), 'ldap_schema = rfc2307bis' ] args.allowed_group = test_group.rdn sssd_conf(standalone, DEFAULT_SUFFIX, log, args) log.info('Check if config creation was successful') check_value_in_log_and_reset(sssd_content_list, filter_msg)
def add_group_and_perform_user_operations(topology_st): topo = topology_st.standalone # Add the automember group groups = Groups(topo, DEFAULT_SUFFIX) group = groups.create(properties={'cn': 'group'}) ous = OrganizationalUnits(topo, DEFAULT_SUFFIX) branch1 = ous.create(properties={'ou': 'branch1'}) # Add the automember config entry am_configs = AutoMembershipDefinitions(topo) am_config = am_configs.create(properties={'cn': 'config', 'autoMemberScope': branch1.dn, 'autoMemberFilter': 'objectclass=top', 'autoMemberDefaultGroup': group.dn, 'autoMemberGroupingAttr': 'member:dn'}) # Add a user that should get added to the group users = UserAccounts(topo, DEFAULT_SUFFIX, rdn='ou={}'.format(branch1.rdn)) test_user = users.create_test_user(uid=777) # Check if created user is group member assert test_user.dn in group.list_members() log.info('Renaming user') test_user.rename('uid=new_test_user_777', newsuperior=SUFFIX) log.info('Delete the user') delete_obj(test_user) log.info('Delete automember entry, org. unit and group for the next test') delete_obj(am_config) delete_obj(branch1) delete_obj(group)
def add_a_group_with_users(request, topo): """ Add a group and users, which are members of this group. """ groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None) group = groups.create(properties={'cn': 'test_group'}) users_list = [] users_num = 100 users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) for num in range(users_num): USER_NAME = f'test_{num}' user = users.create( properties={ 'uid': USER_NAME, 'sn': USER_NAME, 'cn': USER_NAME, 'uidNumber': f'{num}', 'gidNumber': f'{num}', 'homeDirectory': f'/home/{USER_NAME}' }) users_list.append(user) group.add_member(user.dn) def fin(): """ Removes group and users. """ # If the server crashed, start it again to do the cleanup if not topo.standalone.status(): topo.standalone.start() for user in users_list: user.delete() group.delete() request.addfinalizer(fin)
def add_member_and_group(server, cn, group_cn, subtree): users = UserAccounts(server, subtree, rdn=None) users.create( properties={ 'uid': f'test_{cn}', 'cn': f'test_{cn}', 'sn': f'test_{cn}', 'description': 'member', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/testuser' }) group = Groups(server, subtree, rdn=None) group.create( properties={ 'cn': group_cn, 'member': f'uid=test_{cn},{subtree}', 'description': 'group' })
def test_require_internal_index(topo): """Test nsslapd-ignore-virtual-attrs configuration attribute :id: 22b94f30-59e3-4f27-89a1-c4f4be036f7f :setup: Standalone instance :steps: 1. Set "nsslapd-require-internalop-index" to "on" 2. Enable RI plugin, and configure it to use an attribute that is not indexed 3. Create a user and add it a group 4. Deleting user should be rejected as the RI plugin issues an unindexed internal search :expectedresults: 1. Success 2. Success 3. Success 4. Success """ # Set the config be_insts = Backends(topo.standalone).list() for be in be_insts: if be.get_attr_val_utf8_l('nsslapd-suffix') == DEFAULT_SUFFIX: be.set('nsslapd-require-index', 'off') be.set('nsslapd-require-internalop-index', 'on') # Configure RI plugin rip = ReferentialIntegrityPlugin(topo.standalone) rip.set('referint-membership-attr', 'description') rip.enable() # Create a bunch of users db_cfg = DatabaseConfig(topo.standalone) db_cfg.set([('nsslapd-idlistscanlimit', '100')]) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for i in range(102, 202): users.create_test_user(uid=i) # Create user and group user = users.create(properties={ 'uid': 'indexuser', 'cn' : 'indexuser', 'sn' : 'user', 'uidNumber' : '1010', 'gidNumber' : '2010', 'homeDirectory' : '/home/indexuser' }) groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={'cn': 'group', 'member': user.dn}) # Restart the server topo.standalone.restart() # Deletion of user should be rejected with pytest.raises(ldap.UNWILLING_TO_PERFORM): user.delete()
def test_users_and_groups(topology): """ Ensure that user and group management works as expected. """ if DEBUGGING: # Add debugging steps(if any)... pass users = UserAccounts(topology.standalone, DEFAULT_SUFFIX) groups = Groups(topology.standalone, DEFAULT_SUFFIX) # No user should exist assert(len(users.list()) == 0) # Create a user users.create(properties=TEST_USER_PROPERTIES) assert(len(users.list()) == 1) testuser = users.get('testuser') # Set password testuser.set('userPassword', 'password') # bind conn = testuser.bind('password') conn.unbind_s() # create group group_properties = { 'cn' : 'group1', 'description' : 'testgroup' } group = groups.create(properties=group_properties) # user shouldn't be a member assert(not group.is_member(testuser.dn)) # add user as member group.add_member(testuser.dn) # check they are a member assert(group.is_member(testuser.dn)) # remove user from group group.remove_member(testuser.dn) # check they are not a member assert(not group.is_member(testuser.dn)) group.delete() testuser.delete() log.info('Test PASSED')
def test_user_compare(topology): """ Testing compare function 1. Testing comparison of two different users. 2. Testing comparison of 'str' object with itself, should raise 'ValueError'. 3. Testing comparison of user with similar user (different object id). 4. Testing comparison of user with group. """ if DEBUGGING: # Add debugging steps(if any)... pass users = UserAccounts(topology.standalone, DEFAULT_SUFFIX) groups = Groups(topology.standalone, DEFAULT_SUFFIX) # Create 1st user user1_properties = { 'uid': 'testuser1', 'cn': 'testuser1', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/testuser1' } users.create(properties=user1_properties) testuser1 = users.get('testuser1') # Create 2nd user user2_properties = { 'uid': 'testuser2', 'cn': 'testuser2', 'sn': 'user', 'uidNumber': '1001', 'gidNumber': '2002', 'homeDirectory': '/home/testuser2' } users.create(properties=user2_properties) testuser2 = users.get('testuser2') # create group group_properties = {'cn': 'group1', 'description': 'testgroup'} testuser1_copy = users.get("testuser1") group = groups.create(properties=group_properties) assert (UserAccount.compare(testuser1, testuser2) == False) with pytest.raises(ValueError): UserAccount.compare("test_str_object", "test_str_object") assert (UserAccount.compare(testuser1, testuser1_copy) == True) assert (UserAccount.compare(testuser1, group) == False) log.info("Test PASSED")
def test_betxn_modrdn_memberof_cache_corruption(topology_st): """Test modrdn operations and memberOf be txn post op failures :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5994 :setup: Standalone instance :steps: 1. Enable and configure memberOf plugin 2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer" 3. Create group and user outside of memberOf plugin scope 4. Do modrdn to move group into scope 5. Do modrdn to move group into scope (again) :expectedresults: 1. memberOf plugin plugin should be ON 2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer" should PASS 3. Creating group and user should PASS 4. Modrdn should fail with objectclass violation 5. Second modrdn should also fail with objectclass violation """ peoplebase = 'ou=people,%s' % DEFAULT_SUFFIX memberof = MemberOfPlugin(topology_st.standalone) memberof.enable() memberof.set_autoaddoc('nsContainer') # Bad OC memberof.set('memberOfEntryScope', peoplebase) memberof.set('memberOfAllBackends', 'on') topology_st.standalone.restart() groups = Groups(topology_st.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ 'cn': 'group', }) # Create user and add it to group users = UserAccounts(topology_st.standalone, basedn=DEFAULT_SUFFIX) user = users.ensure_state(properties=TEST_USER_PROPERTIES) if not ds_is_older('1.3.7'): user.remove('objectClass', 'nsMemberOf') group.add_member(user.dn) # Attempt modrdn that should fail, but the original entry should stay in the cache with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): group.rename('cn=group_to_people', newsuperior=peoplebase) # Should fail, but not with NO_SUCH_OBJECT as the original entry should still be in the cache with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): group.rename('cn=group_to_people', newsuperior=peoplebase) # Done log.info('test_betxn_modrdn_memberof: PASSED')
def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user): """Search Test 6 Deny read access to multiple groupdn's :id: 8f3ba440-6e11-11e8-8b20-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add_member(USER_ANANDA) posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX) posix_group = posix_groups.create(properties={ "cn": "group2", "description": "testgroup2", "gidNumber": "2000", }) posix_group.add_member(USER_ANUJ) ACI_TARGET = '(targetattr="*")' ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format( DEFAULT_SUFFIX) ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format( DEFAULT_SUFFIX, DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)')) group = groups.get("group1") group.delete() posix_groups.get("group2") posix_group.delete()
def test_scheme_violation_errors_logged(topo_m2): """Check that ERR messages are verbose enough, if a member entry doesn't have the appropriate objectclass to support 'memberof' attribute :id: e2af0aaa-447e-4e85-a5ce-57ae66260d0b :setup: Standalone instance :steps: 1. Enable memberofPlugin and set autoaddoc to nsMemberOf 2. Restart the instance 3. Add a user without nsMemberOf attribute 4. Create a group and add the user to the group 5. Check that user has memberOf attribute 6. Check the error log for ".*oc_check_allowed_sv.*USER_DN.*memberOf.*not allowed.*" and ".*schema violation caught - repair operation.*" patterns :expectedresults: 1. Should be successful 2. Should be successful 3. Should be successful 4. Should be successful 5. User should have the attribute 6. Errors should be logged """ inst = topo_m2.ms["master1"] memberof = MemberOfPlugin(inst) memberof.enable() memberof.set_autoaddoc('nsMemberOf') inst.restart() users = UserAccounts(inst, SUFFIX) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'uid': USER_CN, 'cn': USER_CN, 'sn': USER_CN}) testuser = users.create(properties=user_props) testuser.remove('objectclass', 'nsMemberOf') groups = Groups(inst, SUFFIX) testgroup = groups.create(properties={'cn': GROUP_CN}) testgroup.add('member', testuser.dn) user_memberof_attr = testuser.get_attr_val_utf8('memberof') assert user_memberof_attr log.info('memberOf attr value - {}'.format(user_memberof_attr)) pattern = ".*oc_check_allowed_sv.*{}.*memberOf.*not allowed.*".format( testuser.dn) log.info("pattern = %s" % pattern) assert inst.ds_error_log.match(pattern) pattern = ".*schema violation caught - repair operation.*" assert inst.ds_error_log.match(pattern)
def setup(topology_st, request): """ Enable USN plug-in Enable MEMBEROF plugin Add test entries """ inst = topology_st.standalone log.info("Enable the USN plugin...") plugin = USNPlugin(inst) plugin.enable() log.info("Enable the MEMBEROF plugin...") plugin = MemberOfPlugin(inst) plugin.enable() inst.restart() users_list = [] log.info("Adding test entries...") users = UserAccounts(inst, DEFAULT_SUFFIX) for id in range(USER_NUM): user = users.create_test_user(uid=id) users_list.append(user) groups_list = [] log.info("Adding test groups...") groups = Groups(inst, DEFAULT_SUFFIX) for id in range(GROUP_NUM): group = groups.create(properties={'cn': f'test_group{id}'}) groups_list.append(group) def fin(): for user in users_list: try: user.delete() except ldap.NO_SUCH_OBJECT: pass for group in groups_list: try: group.delete() except ldap.NO_SUCH_OBJECT: pass request.addfinalizer(fin) return {"users": users_list, "groups": groups_list}
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree): """ Modify Test 8 Allow selfwrite access to anyone :id:8b3becf0-7abf-11e8-ac34-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) ou = OrganizationalUnit(topo.standalone, "ou=Product Development,{}".format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Product Development'}) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': PW_DM } user = UserAccount( topo.standalone, "cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # Allow selfwrite access to anyone groups = Groups(conn, DEFAULT_SUFFIX) groups.list()[0].add_member(USER_DELADD) group.delete()
def test_group_aci_entry_exists(topo,create_user): """This test case adds the groupdn aci and check ger contains 'vadn' :id: 1d73f715-e4b3-4ed6-a93b-9d529898ca78 :setup: Standalone instance :steps: 1. Create a group. 2. Add the user as member into the group. 3. Apply the ACI which will give the group full rights. 4. Check entryLevelRights value for entries. 5. Check 'vadn' is in the entryLevelRights. :expectedresults: 1. It should pass 2. It should pass 3. It should pass 4. It should pass 5. It should pass """ (test_user,request_ctrl) = create_user log.info('Adding group {}'.format(TEST_GROUP_NAME)) groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None) group_properties = { 'cn': TEST_GROUP_NAME, 'description': 'testgroup'} test_group = groups.create(properties=group_properties) test_group.add_member(test_user.dn) suffix = Domain(topo.standalone, DEFAULT_SUFFIX) ACI_TARGET = '(targetattr="*")' ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")' ACI_ALLOW = '(version 3.0; acl "give group1 full rights"; allow (all) ' ACI_SUBJECT = 'groupdn = "ldap:///{}";)'.format(test_group.dn) ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT log.info("Add an ACI granting add access to a user matching the groupdn") suffix.add('aci', ACI_BODY) entries = topo.standalone.search_ext('{}'.format(test_user.dn), ldap.SCOPE_SUBTREE, "objectclass=person", serverctrls=[request_ctrl]) rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries) for dn, attrs in rdata: topo.standalone.log.info("dn: %s" % dn) value = attrs['entryLevelRights'][0] topo.standalone.log.info("######## entryLevelRights: %r" % value) assert b'vadn' in value
def test_mul_derive_mult_dn(topology_st): """Test that with multiple cn we derive rdn correctly. :id: 1e1f5483-bfad-4f73-9dfb-aec54d08b268 :setup: standalone instance :steps: 1. Create with multiple cn :expectedresults: 1. Create success """ gps = Groups(topology_st.standalone, DEFAULT_SUFFIX) gp = gps.create(properties={ 'cn': ['test_mul_derive_mult_dn', 'test_mul_derive_single_dn'], }) assert gp.dn.lower( ) == f'cn=test_mul_derive_mult_dn,ou=groups,{DEFAULT_SUFFIX}'.lower() gp.delete()
def test_mul_derive_single_dn(topology_st): """Test that with single cn we derive rdn correctly. :id: f34f271a-ca57-4aa0-905a-b5392ce06c79 :setup: standalone instance :steps: 1. Create with single cn :expectedresults: 1. Create success """ gps = Groups(topology_st.standalone, DEFAULT_SUFFIX) gp = gps.create(properties={ 'cn': ['test_mul_derive_single_dn'], }) assert gp.dn.lower( ) == f'cn=test_mul_derive_single_dn,ou=groups,{DEFAULT_SUFFIX}'.lower() gp.delete()
def test_betxn_memberof(topology_st): """Test PLUGIN_MEMBER_OF plugin :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5993 :setup: Standalone instance and enabled dynamic plugins :steps: 1. Enable and configure memberOf plugin 2. Set memberofgroupattr="member" and memberofAutoAddOC="referral" 3. Add two test groups - group1 and group2 4. Add group2 to group1 5. Add group1 to group2 :expectedresults: 1. memberOf plugin plugin should be ON 2. Set memberofgroupattr="member" and memberofAutoAddOC="referral" should PASS 3. Add operation should PASS 4. Add operation should FAIL 5. Add operation should FAIL """ memberof = MemberOfPlugin(topology_st.standalone) memberof.enable() memberof.set_autoaddoc('referral') topology_st.standalone.restart() groups = Groups(topology_st.standalone, DEFAULT_SUFFIX) group1 = groups.create(properties={'cn': 'group1'}) group2 = groups.create(properties={'cn': 'group2'}) # We may need to mod groups to not have nsMemberOf ... ? if not ds_is_older('1.3.7'): group1.remove('objectClass', 'nsMemberOf') group2.remove('objectClass', 'nsMemberOf') # Add group2 to group1 - it should fail with objectclass violation with pytest.raises(ldap.OBJECT_CLASS_VIOLATION): group1.add_member(group2.dn) # verify entry cache reflects the current/correct state of group1 assert not group1.is_member(group2.dn) # Done log.info('test_betxn_memberof: PASSED')
def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url( topo, test_uer, aci_of_user): """Search Test 27 Deny read access to dynamic group with host:port set on LDAP URL :id: ceb62158-6e12-11e8-8c36-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add('objectClass', 'groupOfURLS') group.set( 'memberURL', "ldap:///localhost:38901/{}??sub?(&(ou=Accounting)(cn=Sam*))".format( DEFAULT_SUFFIX)) group.add_member(USER_ANANDA) ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown" ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))" assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)')) group.delete()
def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user): """ Test to Allow delete access to != dynamic group :id: 14ffa452-68ed-11e8-a60d-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI that delete access to != dynamic group 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should not succeed 4. Delete operation for ACI should succeed """ # Create dynamic group groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add("objectclass", "groupOfURLs") group.add( "memberURL", f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))' ) # Set ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})' f'(targetattr=*)(version 3.0; acl "$tet_thistest"; ' f'allow (delete) (groupdn != "ldap:///{group.dn}"); )') # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) user = UserAccount(conn, USER_DELADD) # Perform Allow delete access to != dynamic group with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user, request): """Test to Allow delete access to dynamic group :id: 010a4f20-752a-4173-b763-f520c7a85b82 :setup: server :steps: 1. Add test entry 2. Add ACI that Allow delete privilege to dynamic group 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should succeed 4. Delete operation for ACI should succeed """ # Create dynamic group groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add("objectclass", "groupOfURLs") group.add( "memberURL", f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))' ) # Set ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})' f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; ' f'allow (delete) (groupdn = "ldap:///{group.dn}"); )') # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Perform Allow delete access to dynamic group UserAccount(conn, USER_DELADD).delete()
def automember_fixture(topo, request): # Create group group_obj = Groups(topo.standalone, DEFAULT_SUFFIX) automem_group = group_obj.create(properties={'cn': 'testgroup'}) # Create users users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) NUM_USERS = 1000 for num in range(NUM_USERS): num_ran = int(round(num)) USER_NAME = 'test%05d' % num_ran users.create( properties={ 'uid': USER_NAME, 'sn': USER_NAME, 'cn': USER_NAME, 'uidNumber': '%s' % num_ran, 'gidNumber': '%s' % num_ran, 'homeDirectory': '/home/%s' % USER_NAME, 'mail': '*****@*****.**' % USER_NAME, 'userpassword': '******' % num_ran, }) # Create automember definitions and regex rules automember_prop = { 'cn': 'testgroup_definition', 'autoMemberScope': DEFAULT_SUFFIX, 'autoMemberFilter': 'objectclass=posixaccount', 'autoMemberDefaultGroup': automem_group.dn, 'autoMemberGroupingAttr': 'member:dn', } automembers = AutoMembershipDefinitions(topo.standalone) auto_def = automembers.create(properties=automember_prop) auto_def.add_regex_rule("regex1", automem_group.dn, include_regex=['uid=.*']) # Enable plugin automemberplugin = AutoMembershipPlugin(topo.standalone) automemberplugin.enable() topo.standalone.restart()
def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user): """Search Test 26 Deny read access to a dynamic group :id: c0c5290e-6e12-11e8-a900-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group_properties = {"cn": "group1", "description": "testgroup"} group = groups.create(properties=group_properties) group.add('objectClass', 'groupOfURLS') group.set( 'memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX)) group.add_member(USER_ANANDA) ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format( DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown" ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all 'memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # USER_ANUJ is not a member assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) group.delete()
def test_mul_explicit_rdn(topology_st): """Test that with multiple cn and an explicit rdn, we use the rdn :id: b39ef204-45c0-4a74-9b59-b4ac1199d78c :setup: standalone instance :steps: 1. Create with mulitple cn and rdn :expectedresults: 1. Create success """ # Create with an explicit rdn value, given to the properties/rdn gps = Groups(topology_st.standalone, DEFAULT_SUFFIX) gp = gps.create( 'cn=test_mul_explicit_rdn', properties={ 'cn': ['test_mul_explicit_rdn', 'other_cn_test_mul_explicit_rdn'], }) assert gp.dn.lower( ) == f'cn=test_mul_explicit_rdn,ou=groups,{DEFAULT_SUFFIX}'.lower() gp.delete()
def test_deny_read_access_to_dynamic_group_two(topo, test_uer, aci_of_user): """ Search Test 29 Deny read access to != dynamic group :id: eae2a6c6-6e12-11e8-80f3-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group_properties = {"cn": "group1", "description": "testgroup" } group = groups.create(properties=group_properties) group.add('objectClass', 'groupofuniquenames') group.set('uniquemember', [USER_ANANDA,USER_ANUJ]) ACI_TARGET = '(targetattr = "*")' ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read) ' % "Unknown" ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";) assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)')) group.delete()
def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user): """ Test to Allow delete access to != groupdn :id: f58fc8b0-68e5-11e8-9313-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI that allows groupdn not to delete some userdn 3. Delete something using test USER_DELADD belong to test group 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should not succeed 4. Delete operation for ACI should succeed """ # Create group groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add_member(USER_WITH_ACI_DELADD) # set aci aci_target = f'(targetattr="*")' aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete)' aci_subject = f'groupdn!="ldap:///{group.dn}";)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject)) # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) user = UserAccount(conn, USER_DELADD) # Perform delete operation with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def test_allow_delete_access_to_groupdn(topo, _add_user, _aci_of_user): """ Test allow delete access to groupdn :id: 7cf15992-68ad-11e8-85af-54e1ad30572c :setup: topo.standalone :steps: 1. Add test entry 2. Add ACI that allows groupdn to delete 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Delete operation should succeed 4. Delete operation for ACI should succeed """ # Create Group and add member groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add_member(USER_WITH_ACI_DELADD) # set aci aci_target = f'(targetattr="*")' aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete) ' aci_subject = f'groupdn="ldap:///{group.dn}";)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject)) # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Perform delete operation for i in [USER_DELADD, USER_WITH_ACI_DELADD]: UserAccount(conn, i).delete()
def automember_fixture(topo, request): groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={'cn': 'testgroup'}) automemberplugin = AutoMembershipPlugin(topo.standalone) automemberplugin.enable() topo.standalone.restart() automember_prop = { 'cn': 'testgroup_definition', 'autoMemberScope': 'ou=People,' + DEFAULT_SUFFIX, 'autoMemberFilter': 'objectclass=*', 'autoMemberDefaultGroup': group.dn, 'autoMemberGroupingAttr': 'member:dn', } automembers = AutoMembershipDefinitions(topo.standalone, "cn=Auto Membership Plugin,cn=plugins,cn=config") automember = automembers.create(properties=automember_prop) return (group, automembers, automember)