def create_test_ou(instance, ou=None, suffix=None): """ Creates a new Organizational Unit for testing. It tries to create a ou that doesn't already exist by using a different ID each time. However, if it is provided with an existing ou/suffix it will fail to create a new ou and it will raise an LDAP error. Returns an OrganizationalUnit object. """ global test_ou_id if ou is None: ou = "TestOU_" + str(test_ou_id) test_ou_id += 1 if suffix is None: suffix = DEFAULT_SUFFIX dn = ou + "," + suffix dn = "ou=" + ou + "," + suffix properties = { 'ou': ou, } ou = OrganizationalUnit(instance, dn) ou.create(properties=properties) return ou
def test_user_binds_without_any_password_and_cannot_access_the_data( topo, add_user, aci_of_user): """User binds without any password and cannot access the data :id: 205777fa-7ac5-11e8-ba2f-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI _add_aci(topo, SIMPLE_ACI_KEY) # Create a new connection for this test. conn = Anonymous(topo.standalone).bind() # Perform Operation org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user): """ User can access the data one day per week as per the ACI. :id: 7131dc88-7ac5-11e8-acc2-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ today_1 = time.strftime("%c").split()[0] # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{TODAY_KEY}" ' f'and dayofweek = \'{today_1}\' ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user): """ User can access the data EVERYDAY_KEY as per the ACI. :id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and ' f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_if_not_from_a_certain_domain( topo, add_user, aci_of_user): """User cannot access the data if not from a certain domain as per the ACI. :id: 3d658972-7ac5-11e8-930f-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")' f'(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NODNS_KEY}" ' f'and dns = "RAP.rock.SALSA.house.COM" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user): """ User NoIP cannot assess the data as per the ACI. :id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) ' f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, IP_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user): """ User can access the data at any time as per the ACI. :id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Timeofday aci"; ' f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and ' f'(timeofday >= "0000" and timeofday <= "2359") ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY) org.replace("seeAlso", "cn=1")
def test_authenticated_but_has_no_rigth_on_the_data(topo, add_user, aci_of_user): """User has a password. He is authenticated but has no rigth on the data. :id: 11be7ebe-7ac5-11e8-b754-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI _add_aci(topo, NONE_ACI_KEY) # Create a new connection for this test. conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user): """Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI. :id: 41b467be-7ac5-11e8-89a3-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")' f'(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NODNS_KEY}" and ' f'dnsalias = "RAP.rock.SALSA.house.COM" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DNS_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user): """ User cannot access the data at all as per the ACI. :id: 75cdac5e-7ac5-11e8-968a-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{TODAY_KEY}" ' f'and dayofweek = "$NEW_DATE" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user): """Non-regression test for BUG 326000: MemberURL needs to be normalized :id: a5d172e6-7db8-11e8-aca7-8c16451d917b :setup: Standalone Instance :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX)) ou_ou.set( 'aci', '(targetattr= *)' '(version 3.0; acl "tester"; allow(all) ' 'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format( DEFAULT_SUFFIX)) groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE') groups.create( properties={ "cn": "DYNGROUP", "description": "DYNGROUP", 'objectClass': 'groupOfURLS', 'memberURL': "ldap:///ou=PEOPLE,{}??sub?" "(uid=test_user_2)".format(DEFAULT_SUFFIX) }) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX) for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]: user = uas.create_test_user(uid=demo1[0], gid=demo1[0]) user.replace_many(('description', demo1[1]), ('userPassword', PW_DM)) ##with normal aci conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM) harry = UserAccount(conn, uas.list()[1].dn) harry.add('sn', 'FRED') ##with abnomal aci dygrp = Group(topo.standalone, DYNGROUP) dygrp.remove( 'memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX)) dygrp.add( 'memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX)) harry.add('sn', 'Not FRED') for i in uas.list(): i.delete()
def test_renaming_target_entry(topo, _add_user, aci_of_user): """Test for renaming target entry :id: 6be1d33a-7932-11e8-9115-8c16451d917b :setup: server :steps: 1. Add test entry 2. Create a test user entry 3. Create a new ou entry with an aci 4. Make sure uid=$MYUID has the access 5. Rename ou=OU0 to ou=OU1 6. Create another ou=OU2 7. Move ou=OU1 under ou=OU2 8. Make sure uid=$MYUID still has the access :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed 6. Operation should succeed 7. Operation should succeed 8. Operation should succeed """ properties = { 'uid': 'TRAC340_MODRDN', 'cn': 'TRAC340_MODRDN', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'TRAC340_MODRDN' } user = UserAccount(topo.standalone, 'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX)) user.create(properties=properties) user.set("userPassword", "password") ou = OrganizationalUnit(topo.standalone, 'ou=OU0,{}'.format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'OU0'}) ou.set( 'aci', '(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)' .format(TRAC340_MODRDN)) conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM) assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0') # Test for renaming target entry OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU0').rename("ou=OU1") assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1') ou = OrganizationalUnit(topo.standalone, 'ou=OU2,{}'.format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'OU2'}) # Test for renaming target entry OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename( "ou=OU1", newsuperior=OU2_OU_MODRDN) assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
def _populate_suffix(instance, suffixname): o = Organization(instance, 'o={}'.format(suffixname)) o.create(properties={ 'o': suffixname, 'description': 'test' }) ou = OrganizationalUnit(instance, 'ou=people,o={}'.format(suffixname)) ou.create(properties={ 'ou': 'people' })
def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user, cleanup_tree): """ Modify Test 6 Allow write access to target with wildcards :id:825fe884-7abf-11e8-8541-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(target = ldap:///{})(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting', 'Human Resources']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting', 'Kirsten Vaughan, ou=Human Resources' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # Allow write access to target with wildcards ua = UserAccount(conn, KIRSTENVAUGHAN) ua.add("title", "Architect") assert ua.get_attr_val('title') conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Allow write access to target with wildcards ua = UserAccount(conn, USER_DELADD) ua.add("title", "Architect") assert ua.get_attr_val('title')
def fin(): """ Deletes entries after the test. """ users1 = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) for dn_dn in users1.list(): dn_dn.delete() groups = Groups(topo.standalone, DEFAULT_SUFFIX) for dn_dn in groups.list(): dn_dn.delete() ou_ou = OrganizationalUnit(topo.standalone, f'ou=Accounting,{DEFAULT_SUFFIX}') ou_ou.delete()
def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree, request): """Modify Test 7 Allow write access to userdnattr :id: 86b418f6-7abf-11e8-ae28-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format( DEFAULT_SUFFIX, request.node.name) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) UserAccount(topo.standalone, USER_WITH_ACI_DELADD).add('manager', USER_WITH_ACI_DELADD) conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Allow write access to userdnattr ua = UserAccount(conn, USER_DELADD) ua.add('uid', 'scoobie') assert ua.get_attr_val('uid') ua.add('uid', 'jvedder') assert ua.get_attr_val('uid')
def test_ticket50234(topology_st): """ The fix for ticket 50234 The test sequence is: - create more than 10 entries with objectclass organizational units ou=org{} - add an Account in one of them, eg below ou=org5 - do searches with search base ou=org5 and search filter "objectclass=organizationalunit" - a subtree search should return 1 entry, the base entry - a onelevel search should return no entry """ log.info( 'Testing Ticket 50234 - onelvel search returns not matching entry') for i in range(1, 15): ou = OrganizationalUnit(topology_st.standalone, "ou=Org{},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Org'.format(i)}) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': '******' } user = UserAccount(topology_st.standalone, "cn=Jeff Vedder,ou=org5,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) # in a subtree search the entry used as search base matches the filter and shoul be returned ent = topology_st.standalone.getEntry("ou=org5,{}".format(DEFAULT_SUFFIX), ldap.SCOPE_SUBTREE, "(objectclass=organizationalunit)") # in a onelevel search the only child is an useraccount which does not match the filter # no entry should be returned, which would cause getEntry to raise an exception we need to handle found = 1 try: ent = topology_st.standalone.getEntry( "ou=org5,{}".format(DEFAULT_SUFFIX), ldap.SCOPE_ONELEVEL, "(objectclass=organizationalunit)") except ldap.NO_SUCH_OBJECT: found = 0 assert (found == 0)
def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only( topo, add_user, aci_of_user): """ User can access the data when connecting from internal ICNC network only as per the ACI. :id:2cac2136-7ac5-11e8-8328-8c16451d917b :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ dns_name = socket.getfqdn() # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", [f'(target = "ldap:///{DNS_OU_KEY}")' f'(targetattr=*)(version 3.0; aci "DNS aci"; ' f'allow(all) userdn = "ldap:///{SUNDNS_KEY}" and dns = "*redhat.com" ;)', f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)' f'(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{SUNDNS_KEY}" and dns = "{dns_name}" ;)']) # Create a new connection for this test. conn = UserAccount(topo.standalone, SUNDNS_KEY).bind(PW_DM) # Perform Operation OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_uer(request, topo): topo.standalone.config.loglevel((ErrorLog.ACL_SUMMARY, )) for i in ['Product Development', 'Accounting']: OrganizationalUnit(topo.standalone, "ou={},{}".format( i, DEFAULT_SUFFIX)).create(properties={'ou': i}) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Product Development') users.create( properties={ 'uid': 'Anuj Borah', 'cn': 'Anuj Borah', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'AnujBorah', 'userPassword': PW_DM }) users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting') users.create( properties={ 'uid': 'Ananda Borah', 'cn': 'Ananda Borah', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'AnandaBorah', 'userPassword': PW_DM })
def create_base_orgunit(instance, basedn): """Create the base org unit object for a org unit""" orgunit = OrganizationalUnit(instance, dn=basedn) # Explode the dn to get the first bit. avas = dn.str2dn(basedn) ou_ava = avas[0][0][1] orgunit.create( properties={ # I think in python 2 this forces unicode return ... 'ou': ou_ava, 'description': basedn, }) return orgunit
def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user, ip_addr): """User can modify the data when accessing the server from the allowed IPv4 and IPv6 addresses :id: 461e761e-7ac5-11e8-9ae4-8c16451d917b :customerscenario: True :parametrized: yes :setup: Standalone Server :steps: 1. Add ACI that has both IPv4 and IPv6 2. Connect from one of the IPs allowed in ACI 3. Modify an attribute :expectedresults: 1. ACI should be added 2. Conection should be successful 3. Operation should be successful """ # Add ACI that contains both IPv4 and IPv6 Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr="*") ' f'(version 3.0; aci "IP aci"; allow(all) ' f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)') # Create a new connection for this test. conn = UserAccount(topo.standalone, FULLIP_KEY).bind( PW_DM, uri=f'ldap://{ip_addr}:{topo.standalone.port}') # Perform Operation OrganizationalUnit(conn, IP_OU_KEY).replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2( topo, add_user, aci_of_user): """User cannot access the data when connecting from an unauthorized network as per the ACI. :id: 396bdd44-7ac5-11e8-8014-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NETSCAPEDNS_KEY}" ' f'and dnsalias != "www.redhat.com" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM) # Perform Operation OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_some_network_only( topo, add_user, aci_of_user): """User can access the data when connecting from some network only as per the ACI. :id: 3098512a-7ac5-11e8-af85-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ dns_name = socket.getfqdn() # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX)\ .add("aci", f'(target = "ldap:///{DNS_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NETSCAPEDNS_KEY}" ' f'and dns = "{dns_name}" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM) # Perform Operation OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_any_machine( topo, add_user, aci_of_user): """User can access the data when connecting from any machine as per the ACI. :id: 28cbc008-7ac5-11e8-934e-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX)\ .add("aci", f'(target ="ldap:///{DNS_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, FULLDNS_KEY).bind(PW_DM) # Perform Operation OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree): """ Modify Test 8 Allow selfwrite access to anyone :id:8b3becf0-7abf-11e8-ac34-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) ou = OrganizationalUnit(topo.standalone, "ou=Product Development,{}".format(DEFAULT_SUFFIX)) ou.create(properties={'ou': 'Product Development'}) properties = { 'uid': 'Jeff Vedder', 'cn': 'Jeff Vedder', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'JeffVedder', 'userPassword': PW_DM } user = UserAccount( topo.standalone, "cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # Allow selfwrite access to anyone groups = Groups(conn, DEFAULT_SUFFIX) groups.list()[0].add_member(USER_DELADD) group.delete()
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree): """ Modify Test 14 allow userdnattr = owner to modify entry :id:aa302090-7abf-11e8-811a-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX) grp.create(properties={'cn': 'intranet', 'ou': 'groups'}) grp.set('owner', USER_WITH_ACI_DELADD) ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format( DEFAULT_SUFFIX) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # allow userdnattr = owner to modify entry ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com') ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com") assert ua.get_attr_val('uniquemember')
def test_aci_with_both_allow_and_deny(topo, aci_of_user, cleanup_tree): """ Modify Test 12 aci with both allow and deny :id:9dcfe902-7abf-11e8-86dc-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; deny (read, search)userdn = "ldap:///{}"; allow (all) userdn = "ldap:///{}" ;)'.format( USER_WITH_ACI_DELADD, USER_DELADD) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM) # aci with both allow and deny, testing allow assert UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid') conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # aci with both allow and deny, testing deny with pytest.raises(IndexError): UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
def test_entryusn_after_repl_delete(topology_m2): """Verify that entryUSN is incremented on 1 after delete operation which creates a tombstone :id: 1704cf65-41bc-4347-bdaf-20fc2431b218 :setup: An instance with replication, Users, USN enabled :steps: 1. Try to delete a user 2. Check the tombstone has the incremented USN 3. Try to delete ou=People with users 4. Check the entry has a not incremented entryUSN :expectedresults: 1. Success 2. Success 3. Should fail with Not Allowed On Non-leaf error 4. Success """ inst = topology_m2.ms["supplier1"] plugin = USNPlugin(inst) plugin.enable() inst.restart() users = UserAccounts(inst, DEFAULT_SUFFIX) try: user_1 = users.create_test_user() user_rdn = user_1.rdn tombstones = Tombstones(inst, DEFAULT_SUFFIX) user_1.replace('description', 'update_ts') user_usn = user_1.get_attr_val_int('entryusn') user_1.delete() time.sleep(1) # Gives a little time for tombstone creation to complete ts = tombstones.get(user_rdn) ts_usn = ts.get_attr_val_int('entryusn') assert (user_usn + 1) == ts_usn user_1 = users.create_test_user() org = OrganizationalUnit(inst, f"ou=People,{DEFAULT_SUFFIX}") org.replace('description', 'update_ts') ou_usn_before = org.get_attr_val_int('entryusn') try: org.delete() except ldap.NOT_ALLOWED_ON_NONLEAF: pass ou_usn_after = org.get_attr_val_int('entryusn') assert ou_usn_before == ou_usn_after finally: try: user_1.delete() except ldap.NO_SUCH_OBJECT: pass
def test_allow_write_access_to_userdn_all(topo, aci_of_user, cleanup_tree): """ Modify Test 3 Allow write access to userdn 'all' :id:70c58818-7abf-11e8-afa1-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///all") ;)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) for i in ['Product Development', 'Accounting']: ou = OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)) ou.create(properties={'ou': i}) for i in [ 'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting' ]: properties = { 'uid': i, 'cn': i, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + i, 'userPassword': PW_DM } user = UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)) user.create(properties=properties) # Allow write access to userdn 'all' conn = Anonymous(topo.standalone).bind() with pytest.raises(ldap.INSUFFICIENT_ACCESS): UserAccount(conn, USER_DELADD).add("title", "Architect") conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) UserAccount(conn, USER_DELADD).add("title", "Architect") assert UserAccount(conn, USER_DELADD).get_attr_val('title')
def test_user(request, topo): for demo in ['Product Development', 'Accounting', 'nestedgroup']: OrganizationalUnit(topo.standalone, "ou={},{}".format( demo, DEFAULT_SUFFIX)).create(properties={'ou': demo}) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup') for demo1 in [ 'DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild' ]: uas.create( properties={ 'uid': demo1, 'cn': demo1, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + demo1, 'userPassword': PW_DM }) # Add anonymous access aci ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) suffix.add('aci', ANON_ACI) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup') for demo1 in ['c1', 'CHILD1_GLOBAL']: uas.create( properties={ 'uid': demo1, 'cn': demo1, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + demo1, 'userPassword': PW_DM }) grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=nestedgroup') for i in [ ('ALLGROUPS_GLOBAL', GROUPA_GLOBAL), ('GROUPA_GLOBAL', GROUPB_GLOBAL), ('GROUPB_GLOBAL', GROUPC_GLOBAL), ('GROUPC_GLOBAL', GROUPD_GLOBAL), ('GROUPD_GLOBAL', GROUPE_GLOBAL), ('GROUPE_GLOBAL', GROUPF_GLOBAL), ('GROUPF_GLOBAL', GROUPG_GLOBAL), ('GROUPG_GLOBAL', GROUPH_GLOBAL), ('GROUPH_GLOBAL', DEEPUSER_GLOBAL) ]: grp.create(properties={ 'cn': i[0], 'ou': 'groups', 'uniquemember': i[1] })