def test_bob_acceptance_tests(topo_m4):
"""Run multiple modrdn_s operation on master1
:id: 26eb87f2-e765-11e8-9698-8c16451d917b
:setup: standalone
:steps:
1. Add entry
2. Run multiple modrdn_s operation on master1
3. Check everything is fine.
:expected results:
1. Should success
2. Should success
3. Should success
"""
# Bug description: run BOB acceptance tests...but it may be not systematic
# Testing bug #923502: Crash in MODRDN
users = UserAccounts(topo_m4.ms["master1"], DEFAULT_SUFFIX)
repl = ReplicationManager(DEFAULT_SUFFIX)
users.create_test_user()
users.create_test_user(uid=2)
for _ in range(100):
topo_m4.ms["master1"].modrdn_s("uid=test_user_1000,ou=People,{}".format(DEFAULT_SUFFIX), "uid=userB", 1)
topo_m4.ms["master1"].modrdn_s("uid=userB,ou=People,{}".format(DEFAULT_SUFFIX), "uid=test_user_1000", 1)
repl.wait_for_replication(topo_m4.ms["master1"], topo_m4.ms["master2"])
for i in range(100):
topo_m4.ms["master2"].modrdn_s("uid=test_user_2,ou=People,{}".format(DEFAULT_SUFFIX), "uid=userB", 1)
topo_m4.ms["master2"].modrdn_s("uid=userB,ou=People,{}".format(DEFAULT_SUFFIX), "uid=test_user_2", 1)
assert topo_m4.ms["master1"].status() == True
assert topo_m4.ms["master2"].status() == True
def test_modify_some_data_in_m3(topo_m4):
"""
Modify some data in Master 3 , check trees on all 4 masters
:id: 33583ff4-e764-11e8-8491-8c16451d917b
:setup: 4 Instances with replication
:steps:
1. Modify some data in M3 , wait for 20 seconds ,check trees on all 4 masters
:expected results:
1. Should success
"""
# modify some data in M3
# wait for 20 seconds
# check trees on all 4 masters
users = UserAccounts(topo_m4.ms["master3"], DEFAULT_SUFFIX)
repl = ReplicationManager(DEFAULT_SUFFIX)
for i in range(15, 20):
users.create_test_user(uid=i)
time.sleep(1)
for i in range(15, 20):
users.list()[19 - i].set("description",
"description for user{} CHANGED".format(i))
repl.test_replication(topo_m4.ms["master3"], topo_m4.ms["master1"], 30)
repl.test_replication(topo_m4.ms["master3"], topo_m4.ms["master2"], 30)
repl.test_replication(topo_m4.ms["master3"], topo_m4.ms["master4"], 30)
for i in users.list():
i.delete()
def test_allow_add_access_to_anyone(topo, _add_user, _aci_of_user):
"""
Test to allow add access to anyone
:id: 5ca31cc4-68e0-11e8-8666-8c16451d917b
:setup: topo.standalone
:steps:
1. Add test entry
2. Add ACI that allows groupdn to add
3. Add something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Add operation should succeed
4. Delete operation for ACI should succeed
"""
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for anyone"; allow (add) '
aci_subject = f'userdn="ldap:///anyone";)'
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Perform add operation
users = UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=Accounting')
user = users.create_test_user(gid=3, uid=3)
assert user.exists()
users = UserAccounts(conn, DEFAULT_SUFFIX)
user = users.create_test_user(gid=3, uid=3)
assert user.exists()
def _add_user(request, topo):
"""
This function will create user for the test and in the end entries will be deleted .
"""
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user = users.create_test_user()
user.set("userPassword", PW_DM)
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
ous.create(properties={'ou': 'Accounting'})
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
for i in range(1, 3):
user = users.create_test_user(uid=i, gid=i)
user.set("userPassword", PW_DM)
def fin():
"""
Deletes entries after the test.
"""
users1 = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
for dn_dn in users1.list():
dn_dn.delete()
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
for dn_dn in groups.list():
dn_dn.delete()
ou_ou = OrganizationalUnit(topo.standalone,
f'ou=Accounting,{DEFAULT_SUFFIX}')
ou_ou.delete()
request.addfinalizer(fin)
def test_require_index(topo):
"""Test nsslapd-ignore-virtual-attrs configuration attribute
:id: fb6e31f2-acc2-4e75-a195-5c356faeb803
:setup: Standalone instance
:steps:
1. Set "nsslapd-require-index" to "on"
2. Test an unindexed search is rejected
:expectedresults:
1. Success
2. Success
"""
# Set the config
be_insts = Backends(topo.standalone).list()
for be in be_insts:
if be.get_attr_val_utf8_l('nsslapd-suffix') == DEFAULT_SUFFIX:
be.set('nsslapd-require-index', 'on')
db_cfg = DatabaseConfig(topo.standalone)
db_cfg.set([('nsslapd-idlistscanlimit', '100')])
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in range(101):
users.create_test_user(uid=i)
# Issue unindexed search,a nd make sure it is rejected
raw_objects = DSLdapObjects(topo.standalone, basedn=DEFAULT_SUFFIX)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
raw_objects.filter("(description=test*)")
def test_nestedrole(topo, _final):
"""
:id: d52a9cw0-3bg6-11e9-9b7b-8c16451d917t
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
managed_role1 = managed_roles.create(properties={"cn": 'managed_role1'})
managed_role2 = managed_roles.create(properties={"cn": 'managed_role2'})
# Create nested role entry
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_role = nested_roles.create(
properties={
"cn": 'nested_role',
"nsRoleDN": [managed_role1.dn, managed_role2.dn]
})
# Create user and assign managed role to it
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user1 = users.create_test_user(uid=1, gid=1)
user1.set('nsRoleDN', managed_role1.dn)
user1.set('userPassword', PW_DM)
# Create another user and assign managed role to it
user2 = users.create_test_user(uid=2, gid=2)
user2.set('nsRoleDN', managed_role2.dn)
user2.set('userPassword', PW_DM)
# Create another user and do not assign any role to it
user3 = users.create_test_user(uid=3, gid=3)
user3.set('userPassword', PW_DM)
# Create a ACI with deny access to nested role entry
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', f'(targetattr=*)(version 3.0; aci '
f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)')
# Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1
# and search while bound as the user
conn = users.get('test_user_1').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_2,ou=People,dc=example,dc=com' member of managed_role2
# and search while bound as the user
conn = users.get('test_user_2').bind(PW_DM)
assert not UserAccounts(conn, DEFAULT_SUFFIX).list()
# Create connection with 'uid=test_user_3,ou=People,dc=example,dc=com' and
# search while bound as the user
conn = users.get('test_user_3').bind(PW_DM)
assert UserAccounts(conn, DEFAULT_SUFFIX).list()
def test_healthcheck_replication_out_of_sync_not_broken(topology_m3):
"""Check if HealthCheck returns DSREPLLE0003 code
:id: 8305000d-ba4d-4c00-8331-be0e8bd92150
:setup: 3 MMR topology
:steps:
1. Create a 3 masters full-mesh topology, all replicas being synchronized
2. Stop M1
3. Perform an update on M2 and M3.
4. Check M2 and M3 are synchronized.
5. From M2, reinitialize the M3 agreement
6. Stop M2 and M3
7. Restart M1
8. Start M3
9. Use HealthCheck without --json option
10. Use HealthCheck with --json option
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Success
8. Success
9. Healthcheck reports DSREPLLE0003 code and related details
10. Healthcheck reports DSREPLLE0003 code and related details
"""
RET_CODE = 'DSREPLLE0003'
M1 = topology_m3.ms['master1']
M2 = topology_m3.ms['master2']
M3 = topology_m3.ms['master3']
log.info('Stop master1')
M1.stop()
log.info('Perform update on master2 and master3')
test_users_m2 = UserAccounts(M2, DEFAULT_SUFFIX)
test_users_m3 = UserAccounts(M3, DEFAULT_SUFFIX)
test_users_m2.create_test_user(1000, 2000)
test_users_m3.create_test_user(1001, 2000)
log.info('Init M2->M3 agreement')
agmt = Agreements(M2).list()[1]
agmt.begin_reinit()
agmt.wait_reinit()
log.info('Stop M2 and M3')
M2.stop()
M3.stop()
log.info('Start M1 first, then M3')
M1.start()
M3.start()
run_healthcheck_and_flush_log(topology_m3, M3, RET_CODE, json=False)
run_healthcheck_and_flush_log(topology_m3, M3, RET_CODE, json=True)
def _cleanupentris(request, topo_m4):
users = UserAccounts(topo_m4.ms["master1"], DEFAULT_SUFFIX)
for i in range(10): users.create_test_user(uid=i)
def fin():
try:
for i in users.list():
i.delete()
except: pass
request.addfinalizer(fin)
def test_entryusn_after_repl_delete(topology_m2):
"""Verify that entryUSN is incremented on 1 after delete operation which creates a tombstone
:id: 1704cf65-41bc-4347-bdaf-20fc2431b218
:setup: An instance with replication, Users, USN enabled
:steps:
1. Try to delete a user
2. Check the tombstone has the incremented USN
3. Try to delete ou=People with users
4. Check the entry has a not incremented entryUSN
:expectedresults:
1. Success
2. Success
3. Should fail with Not Allowed On Non-leaf error
4. Success
"""
inst = topology_m2.ms["supplier1"]
plugin = USNPlugin(inst)
plugin.enable()
inst.restart()
users = UserAccounts(inst, DEFAULT_SUFFIX)
try:
user_1 = users.create_test_user()
user_rdn = user_1.rdn
tombstones = Tombstones(inst, DEFAULT_SUFFIX)
user_1.replace('description', 'update_ts')
user_usn = user_1.get_attr_val_int('entryusn')
user_1.delete()
time.sleep(1) # Gives a little time for tombstone creation to complete
ts = tombstones.get(user_rdn)
ts_usn = ts.get_attr_val_int('entryusn')
assert (user_usn + 1) == ts_usn
user_1 = users.create_test_user()
org = OrganizationalUnit(inst, f"ou=People,{DEFAULT_SUFFIX}")
org.replace('description', 'update_ts')
ou_usn_before = org.get_attr_val_int('entryusn')
try:
org.delete()
except ldap.NOT_ALLOWED_ON_NONLEAF:
pass
ou_usn_after = org.get_attr_val_int('entryusn')
assert ou_usn_before == ou_usn_after
finally:
try:
user_1.delete()
except ldap.NO_SUCH_OBJECT:
pass
def test_require_internal_index(topo):
"""Test nsslapd-ignore-virtual-attrs configuration attribute
:id: 22b94f30-59e3-4f27-89a1-c4f4be036f7f
:setup: Standalone instance
:steps:
1. Set "nsslapd-require-internalop-index" to "on"
2. Enable RI plugin, and configure it to use an attribute that is not indexed
3. Create a user and add it a group
4. Deleting user should be rejected as the RI plugin issues an
unindexed internal search
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
# Set the config
be_insts = Backends(topo.standalone).list()
for be in be_insts:
if be.get_attr_val_utf8_l('nsslapd-suffix') == DEFAULT_SUFFIX:
be.set('nsslapd-require-index', 'off')
be.set('nsslapd-require-internalop-index', 'on')
# Configure RI plugin
rip = ReferentialIntegrityPlugin(topo.standalone)
rip.set('referint-membership-attr', 'description')
rip.enable()
# Create a bunch of users
db_cfg = DatabaseConfig(topo.standalone)
db_cfg.set([('nsslapd-idlistscanlimit', '100')])
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in range(102, 202):
users.create_test_user(uid=i)
# Create user and group
user = users.create(properties={
'uid': 'indexuser',
'cn' : 'indexuser',
'sn' : 'user',
'uidNumber' : '1010',
'gidNumber' : '2010',
'homeDirectory' : '/home/indexuser'
})
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={'cn': 'group',
'member': user.dn})
# Restart the server
topo.standalone.restart()
# Deletion of user should be rejected
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
user.delete()
def test_replica_backup_and_restore(topo_m4):
"""
Test Backup and restore
:id: 5ad1b85c-e765-11e8-9668-8c16451d917b
:setup: standalone
:steps:
1. Add entries
2. Take backup db2ldif on master1
3. Delete entries on master1
4. Restore entries ldif2db
5. Check entries
:expected results:
1. Should success
2. Should success
3. Should success
4. Should success
5. Should success
"""
# Testing bug #830335: Taking a replica backup and Restore on M1 after deleting few entries from M1 nad M2
repl = ReplicationManager(DEFAULT_SUFFIX)
users = UserAccounts(topo_m4.ms["master3"], DEFAULT_SUFFIX)
for i in range(20, 25):
users.create_test_user(uid=i)
time.sleep(1)
repl.wait_for_replication(topo_m4.ms["master1"], topo_m4.ms["master2"])
repl.test_replication(topo_m4.ms["master1"], topo_m4.ms["master2"], 30)
topo_m4.ms["master1"].stop()
topo_m4.ms["master1"].db2ldif(
bename=DEFAULT_BENAME,
suffixes=[DEFAULT_SUFFIX],
excludeSuffixes=[],
encrypt=False,
repl_data=True,
outputfile="/tmp/output_file",
)
topo_m4.ms["master1"].start()
for i in users.list():
topo_m4.ms["master1"].delete_s(i.dn)
repl.wait_for_replication(topo_m4.ms["master1"], topo_m4.ms["master2"])
repl.test_replication(topo_m4.ms["master1"], topo_m4.ms["master2"], 30)
topo_m4.ms["master1"].stop()
topo_m4.ms["master1"].ldif2db(
bename=None,
excludeSuffixes=None,
encrypt=False,
suffixes=[DEFAULT_SUFFIX],
import_file="/tmp/output_file",
)
topo_m4.ms["master1"].start()
for i in range(20, 25):
users.create_test_user(uid=i)
time.sleep(1)
repl.wait_for_replication(topo_m4.ms["master1"], topo_m4.ms["master2"])
repl.test_replication(topo_m4.ms["master1"], topo_m4.ms["master2"], 30)
def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
"""Misc Test 6 only allow some targetattr (2/2)"
:id: a188239c-7db8-11e8-903e-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
for i in range(5):
user = uas.create_test_user(uid=i, gid=i)
user.replace_many(('mail', '*****@*****.**'), ('cn', 'Anuj'),
('userPassword', PW_DM))
user1 = uas.create_test_user()
user1.replace_many(('mail', '*****@*****.**'),
('userPassword', PW_DM))
Domain(topo.standalone, DEFAULT_SUFFIX).\
replace("aci", '(target="ldap:///{}") (targetattr="mail||objectClass")'
'(targetfilter="cn=Anuj") (version 3.0; acl "{}"; '
'allow (compare,read,search) '
'(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX, request.node.name))
conn = UserAccount(topo.standalone, user.dn).bind(PW_DM)
# aci will allow only mail targetattr but only for cn=Anuj
account = Accounts(conn, DEFAULT_SUFFIX)
assert len(account.filter('(mail=*)')) == 5
assert not account.filter('(cn=*)')
for i in account.filter('(mail=*)'):
assert i.get_attr_val_utf8('mail') == '*****@*****.**'
conn = Anonymous(topo.standalone).bind()
# aci will allow only mail targetattr but only for cn=Anuj
account = Accounts(conn, DEFAULT_SUFFIX)
assert len(account.filter('(mail=*)')) == 5
assert not account.filter('(cn=*)')
for i in account.filter('(mail=*)'):
assert i.get_attr_val_utf8('mail') == '*****@*****.**'
# with root no blockage
assert len(Accounts(topo.standalone,
DEFAULT_SUFFIX).filter('(mail=*)')) == 6
for i in uas.list():
i.delete()
def test_readonly_on_threshold(topo, setup, reset_logs):
"""Verify that nsslapd-disk-monitoring-readonly-on-threshold switches the server to read-only mode
:id: 06814c19-ef3c-4800-93c9-c7c6e76fcbb9
:customerscenario: True
:setup: Standalone
:steps:
1. Verify that the backend is in read-only mode
2. Go back above the threshold
3. Verify that the backend is in read-write mode
:expectedresults:
1. Should Success
2. Should Success
3. Should Success
"""
file_path = '{}/foo'.format(topo.standalone.ds_paths.log_dir)
backends = Backends(topo.standalone)
backend_name = backends.list()[0].rdn
# Verify that verbose logging was set to default level
topo.standalone.deleteErrorLogs()
assert topo.standalone.config.set('nsslapd-disk-monitoring', 'on')
assert topo.standalone.config.set(
'nsslapd-disk-monitoring-readonly-on-threshold', 'on')
topo.standalone.restart()
try:
subprocess.call([
'dd', 'if=/dev/zero', f'of={file_path}', 'bs=1M',
f'count={HALF_THR_FILL_SIZE}'
])
_witherrorlog(
topo, f"Putting the backend '{backend_name}' to read-only mode",
11)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
try:
user = users.create_test_user()
user.delete()
except ldap.UNWILLING_TO_PERFORM as e:
if 'database is read-only' not in str(e):
raise
os.remove(file_path)
_witherrorlog(
topo,
f"Putting the backend '{backend_name}' back to read-write mode",
11)
user = users.create_test_user()
assert user.exists()
user.delete()
finally:
if os.path.exists(file_path):
os.remove(file_path)
def test_plugin_bind_dn_tracking_and_replication(topo_m2):
"""Testing nsslapd-plugin-binddn-tracking does not cause issues around
access control and reconfiguring replication/repl agmt.
:id: dd689d03-69b8-4bf9-a06e-2acd19d5e2c9
:setup: 2 supplier topology
:steps:
1. Turn on plugin binddn tracking
2. Add some users
3. Make an update as a user
4. Make an update to the replica config
5. Make an update to the repliocation agreement
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
m1 = topo_m2.ms["supplier1"]
# Turn on bind dn tracking
m1.config.set('nsslapd-plugin-binddn-tracking', 'on')
# Add two users
users = UserAccounts(m1, DEFAULT_SUFFIX)
user1 = users.create_test_user(uid=1011)
user1.set('userpassword', PASSWORD)
user2 = users.create_test_user(uid=1012)
# Add an aci
acival = '(targetattr ="cn")(version 3.0;acl "Test bind dn tracking"' + \
';allow (all) (userdn = "ldap:///{}");)'.format(user1.dn)
Domain(m1, DEFAULT_SUFFIX).add('aci', acival)
# Bind as user and make an update
user1.rebind(PASSWORD)
user2.set('cn', 'new value')
dm = DirectoryManager(m1)
dm.rebind()
# modify replica
replica = Replicas(m1).get(DEFAULT_SUFFIX)
replica.set(REPL_PROTOCOL_TIMEOUT, "30")
# modify repl agmt
agmt = replica.get_agreements().list()[0]
agmt.set(REPL_PROTOCOL_TIMEOUT, "20")
def test_readonly_on_threshold_below_half_of_the_threshold(topo, setup, reset_logs):
"""Go below 1/2 of the threshold when readonly on threshold is enabled
:id: 10262663-b41f-420e-a2d0-9532dd54fa7c
:setup: Standalone
:steps:
:expectedresults:
1. Go straight below 1/2 of the threshold
2. Verify that the backend is in read-only mode
3. Go back above the threshold
4. Verify that the backend is in read-write mode
:expectedresults:
1. Should Success
2. Should Success
3. Should Success
4. Should Success
"""
file_path = '{}/foo'.format(topo.standalone.ds_paths.log_dir)
backends = Backends(topo.standalone)
backend_name = backends.list()[0].rdn
topo.standalone.deleteErrorLogs()
assert topo.standalone.config.set('nsslapd-disk-monitoring', 'on')
assert topo.standalone.config.set('nsslapd-disk-monitoring-readonly-on-threshold', 'on')
topo.standalone.restart()
try:
if float(THRESHOLD) > FULL_THR_FILL_SIZE:
FULL_THR_FILL_SIZE_new = FULL_THR_FILL_SIZE + round(float(THRESHOLD) - FULL_THR_FILL_SIZE) + 1
subprocess.call(['dd', 'if=/dev/zero', f'of={file_path}', 'bs=1M', f'count={FULL_THR_FILL_SIZE_new}'])
else:
subprocess.call(['dd', 'if=/dev/zero', f'of={file_path}', 'bs=1M', f'count={FULL_THR_FILL_SIZE}'])
_witherrorlog(topo, f"Putting the backend '{backend_name}' to read-only mode", 11)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
try:
user = users.create_test_user()
user.delete()
except ldap.UNWILLING_TO_PERFORM as e:
if 'database is read-only' not in str(e):
raise
_witherrorlog(topo, 'is too far below the threshold', 51)
# Verify DS has recovered from shutdown
os.remove(file_path)
_witherrorlog(topo, f"Putting the backend '{backend_name}' back to read-write mode", 51)
user = users.create_test_user()
assert user.exists()
user.delete()
finally:
if os.path.exists(file_path):
os.remove(file_path)
def add_group_and_perform_user_operations(topology_st):
topo = topology_st.standalone
# Add the automember group
groups = Groups(topo, DEFAULT_SUFFIX)
group = groups.create(properties={'cn': 'group'})
ous = OrganizationalUnits(topo, DEFAULT_SUFFIX)
branch1 = ous.create(properties={'ou': 'branch1'})
# Add the automember config entry
am_configs = AutoMembershipDefinitions(topo)
am_config = am_configs.create(properties={'cn': 'config',
'autoMemberScope': branch1.dn,
'autoMemberFilter': 'objectclass=top',
'autoMemberDefaultGroup': group.dn,
'autoMemberGroupingAttr': 'member:dn'})
# Add a user that should get added to the group
users = UserAccounts(topo, DEFAULT_SUFFIX, rdn='ou={}'.format(branch1.rdn))
test_user = users.create_test_user(uid=777)
# Check if created user is group member
assert test_user.dn in group.list_members()
log.info('Renaming user')
test_user.rename('uid=new_test_user_777', newsuperior=SUFFIX)
log.info('Delete the user')
delete_obj(test_user)
log.info('Delete automember entry, org. unit and group for the next test')
delete_obj(am_config)
delete_obj(branch1)
delete_obj(group)
def test_allow_add_access_to_parent(topo, _add_user, _aci_of_user):
"""Test to Allow add privilege to parent
:id: 9f099845-9dbc-412f-bdb9-19a5ea729694
:setup: server
:steps:
1. Add test entry
2. Add ACI that Allow add privilege to parent
3. Add something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should succeed
4. Delete operation for ACI should succeed
"""
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for parent"; allow (add) '
aci_subject = f'userdn="ldap:///parent";)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Perform Allow add privilege to parent
users = UserAccounts(conn, DEFAULT_SUFFIX, rdn='uid=test_user_1000, ou=people')
user = users.create_test_user(gid=1, uid=1)
assert user.exists()
# Delete created user
UserAccounts(topo.standalone, DEFAULT_SUFFIX).get('test_user_1').delete()
def test_allow_delete_access_to_parent(topo, _add_user, _aci_of_user):
"""Test to Allow delete access to parent
:id: 2dd7f624-68e7-11e8-8591-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI that Allow delete privilege to parent
3. Delete something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should succeed
4. Delete operation for ACI should succeed
"""
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for parent"; allow (add,delete) '
aci_subject = f'userdn="ldap:///parent";)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Create a user with parent 'uid=test_user_1000, ou=people, {}'.format(DEFAULT_SUFFIX)
users = UserAccounts(conn, DEFAULT_SUFFIX, rdn='uid=test_user_1000, ou=people')
new_user = users.create_test_user(gid=1, uid=1)
assert new_user.exists()
# Perform Allow delete access to parent
new_user.delete()
def automember_fixture(topo, request):
# Create group
groups = []
group_obj = Groups(topo.standalone, DEFAULT_SUFFIX)
groups.append(group_obj.create(properties={'cn': 'testgroup'}))
groups.append(group_obj.create(properties={'cn': 'testgroup2'}))
groups.append(group_obj.create(properties={'cn': 'testgroup3'}))
# Create test user
user_accts = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user = user_accts.create_test_user()
# Create automember definitions and regex rules
automember_prop = {
'cn': 'testgroup_definition',
'autoMemberScope': DEFAULT_SUFFIX,
'autoMemberFilter': 'objectclass=posixaccount',
'autoMemberDefaultGroup': groups[0].dn,
'autoMemberGroupingAttr': 'member:dn',
}
automembers = AutoMembershipDefinitions(topo.standalone)
auto_def = automembers.create(properties=automember_prop)
auto_def.add_regex_rule("regex1", groups[1].dn, include_regex=['cn=mark.*'])
auto_def.add_regex_rule("regex2", groups[2].dn, include_regex=['cn=simon.*'])
# Enable plugin
automemberplugin = AutoMembershipPlugin(topo.standalone)
automemberplugin.enable()
topo.standalone.restart()
return (user, groups)
def test_search_attr(topo):
"""Test filter can search attributes
:id: 9a1b0a4b-111c-4105-866d-4288f143ee07
:setup: Standalone instance
:steps:
1. Add test entry
2. make search
:expectedresults:
1. Entry should be added
2. Operation should succeed
"""
user = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in range(1, 5):
user1 = user.create_test_user(uid=i)
user1.set("mail", "AnujBorah{}@ok.com".format(i))
# Testing filter is working for any king of attr
user = Accounts(topo.standalone, DEFAULT_SUFFIX)
assert len(user.filter('(mail=*)')) == 4
assert len(user.filter('(uid=*)')) == 4
# Testing filter is working for other filters
assert len(user.filter("(objectclass=inetOrgPerson)")) == 4
def test_basic(topology_st):
BACKUP_DIR = os.path.join(topology_st.standalone.ds_paths.backup_dir,
"basic_backup")
topology_st.logcap = LogCapture()
args = FakeArgs()
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
user = users.create_test_user()
user.replace("description", "backup_test")
# Clean the backup dir first
if os.path.exists(BACKUP_DIR):
shutil.rmtree(BACKUP_DIR)
# Create the backup
args.archive = BACKUP_DIR
args.db_type = None
backup_create(topology_st.standalone, None, topology_st.logcap.log, args)
assert os.listdir(BACKUP_DIR)
# Restore the backup
args.archive = topology_st.standalone.ds_paths.backup_dir
args.db_type = None
backup_restore(topology_st.standalone, None, topology_st.logcap.log, args)
assert user.present("description", "backup_test")
# No error has happened! Done!
# Clean up
if os.path.exists(BACKUP_DIR):
shutil.rmtree(BACKUP_DIR)
def test_password_crypt_asterisk_is_rejected(topology_st):
"""It was reported that {CRYPT}* was allowing all passwords to be
valid in the bind process. This checks that we should be rejecting
these as they should represent locked accounts. Similar, {CRYPT}!
:id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3
:setup: Single instance
:steps: 1. Set a password hash in with CRYPT and the content *
2. Test a bind
3. Set a password hash in with CRYPT and the content !
4. Test a bind
:expectedresults:
1. Successfully set the values
2. The bind fails
3. Successfully set the values
4. The bind fails
"""
topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off')
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
user = users.create_test_user()
user.set('userPassword', "{CRYPT}*")
# Attempt to bind with incorrect password.
with pytest.raises(ldap.INVALID_CREDENTIALS):
badconn = user.bind('badpassword')
user.set('userPassword', "{CRYPT}!")
# Attempt to bind with incorrect password.
with pytest.raises(ldap.INVALID_CREDENTIALS):
badconn = user.bind('badpassword')
def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
"""
Misc Test 2 accept aci in addition to acl
:id:8e9408fa-7db8-11e8-adaa-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=product development')
user = uas.create_test_user()
for i in [('mail', '*****@*****.**'), ('givenname', 'Anuj'), ('userPassword', PW_DM)]:
user.set(i[0], i[1])
aci_target = "(targetattr=givenname)"
aci_allow = ('(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)')
aci_subject = 'userdn="ldap:///anyone";)'
Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject)
conn = Anonymous(topo.standalone).bind()
# aci will block targetattr=givenname to anyone
user = UserAccount(conn, user.dn)
with pytest.raises(AssertionError):
assert user.get_attr_val_utf8('givenname') == 'Anuj'
# aci will allow targetattr=uid to anyone
assert user.get_attr_val_utf8('uid') == 'test_user_1000'
for i in uas.list():
i.delete()
def test_check_missing_tombstones(topo_tls_ldapi):
"""Check missing tombstone entries is not reported.
:id: 93067a5a-416e-4243-9418-c4dfcf42e093
:customerscenario: True
:setup: Two master replication
:steps:
1. Pause replication between master and replica
2. Add and delete an entry on the master
3. Run ds-replcheck
4. Verify there are NO complaints about missing entries/tombstones
:expectedresults:
1. It should be successful
2. It should be successful
3. It should be successful
4. It should be successful
"""
m1 = topo_tls_ldapi.ms["master1"]
m2 = topo_tls_ldapi.ms["master2"]
try:
topo_tls_ldapi.pause_all_replicas()
users_m1 = UserAccounts(m1, DEFAULT_SUFFIX)
user0 = users_m1.create_test_user(1000)
user0.delete()
for tool_cmd in replcheck_cmd_list(topo_tls_ldapi):
result = subprocess.check_output(tool_cmd, encoding='utf-8').lower()
assert "entries missing on replica" not in result
finally:
topo_tls_ldapi.resume_all_replicas()
def test_do_bind_as_201_distinct_users(topo, clean, aci_of_user):
"""
Do bind as 201 distinct users
Increase the nsslapd-aclpb-max-selected-acls in cn=ACL Plugin,cn=plugins,cn=config
Restart the server
Do bind as 201 distinct users
:id:c0060532-7db8-11e8-a124-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in range(50):
user = uas.create_test_user(uid=i, gid=i)
user.set('userPassword', PW_DM)
for i in range(len(uas.list())):
uas.list()[i].bind(PW_DM)
ACLPlugin(topo.standalone).replace("nsslapd-aclpb-max-selected-acls", '220')
topo.standalone.restart()
for i in range(len(uas.list())):
uas.list()[i].bind(PW_DM)
def test_greater_than_200_acls_can_be_created(topo, clean, aci_of_user):
"""
Misc 10, check that greater than 200 ACLs can be created. Bug 624370
:id:ac020252-7db8-11e8-8652-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# greater_than_200_acls_can_be_created
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in range(200):
user = uas.create_test_user(uid=i, gid=i)
user.set('aci', '(targetattr = "description")'
'(version 3.0;acl "foo{}"; allow (read, search, compare)'
'(userdn="ldap:///anyone");)'.format(i))
assert user.\
get_attr_val_utf8('aci') == '(targetattr = "description")' \
'(version 3.0;acl "foo{}"; allow ' \
'(read, search, compare)' \
'(userdn="ldap:///anyone");)'.format(i)
for i in uas.list():
i.delete()
def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user):
"""
bug 334451 : more then 40 acl will crash slapd
superseded by Bug 772778 - acl cache overflown problem with > 200 acis
:id:93a44c60-7db8-11e8-9439-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
user = uas.create_test_user()
aci_target = '(target ="ldap:///{}")(targetattr !="userPassword")'.format(CONTAINER_1_DELADD)
# more_then_40_acl_will not crash_slapd
for i in range(40):
aci_allow = '(version 3.0;acl "ACI_{}";allow (read, search, compare)'.format(i)
aci_subject = 'userdn="ldap:///anyone";)'
aci_body = aci_target + aci_allow + aci_subject
Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_body)
conn = Anonymous(topo.standalone).bind()
assert UserAccount(conn, user.dn).get_attr_val_utf8('uid') == 'test_user_1000'
for i in uas.list():
i.delete()
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
"""Non-regression test for BUG 326000: MemberURL needs to be normalized
:id: a5d172e6-7db8-11e8-aca7-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ou_ou = OrganizationalUnit(topo.standalone,
"ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
ou_ou.set(
'aci', '(targetattr= *)'
'(version 3.0; acl "tester"; allow(all) '
'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(
DEFAULT_SUFFIX))
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE')
groups.create(
properties={
"cn":
"DYNGROUP",
"description":
"DYNGROUP",
'objectClass':
'groupOfURLS',
'memberURL':
"ldap:///ou=PEOPLE,{}??sub?"
"(uid=test_user_2)".format(DEFAULT_SUFFIX)
})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]:
user = uas.create_test_user(uid=demo1[0], gid=demo1[0])
user.replace_many(('description', demo1[1]), ('userPassword', PW_DM))
##with normal aci
conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM)
harry = UserAccount(conn, uas.list()[1].dn)
harry.add('sn', 'FRED')
##with abnomal aci
dygrp = Group(topo.standalone, DYNGROUP)
dygrp.remove(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX))
dygrp.add(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX))
harry.add('sn', 'Not FRED')
for i in uas.list():
i.delete()
def test_last_three(topo, _add_user, user, entry):
"""
When we use the userattr keyword to associate the entry used to bind
with the target entry the ACI applies only to the target specified and
not to subentries.
:id: add58a0a-7a01-11e8-85f1-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = UserAccount(topo.standalone, user).bind(PW_DM)
users = UserAccounts(conn, entry)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
users.create_test_user()
def test_create_an_entry_on_the_supplier(topo_m4):
"""
Shut down one instance and create an entry on the supplier
:id: f57538d0-e764-11e8-94fc-8c16451d917b
:setup: standalone
:steps:
1. Shut down one instance and create an entry on the supplier
:expected results:
1. Should not success
"""
# Bug 830344: Shut down one instance and create an entry on the supplier
topo_m4.ms["master1"].stop()
users = UserAccounts(topo_m4.ms["master2"], DEFAULT_SUFFIX)
users.create_test_user(uid=4)
# ldapsearch output
assert \
topo_m4.ms["master2"].search_s('cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config', ldap.SCOPE_SUBTREE,
"(objectclass=*)", ["nsds5replicaLastUpdateStatus"], )[1].getValue(
'nsds5replicalastupdatestatus')
topo_m4.ms["master1"].start()
