def aci_with_attr_subtype(request, topology_m2): """Adds and deletes an ACI in the DEFAULT_SUFFIX""" TARGET_ATTR = 'protectedOperation' USER_ATTR = 'allowedToPerform' SUBTYPE = request.param suffix = Domain(topology_m2.ms["supplier1"], DEFAULT_SUFFIX) log.info("========Executing test with '%s' subtype========" % SUBTYPE) log.info(" Add a target attribute") add_attr(topology_m2, TARGET_ATTR) log.info(" Add a user attribute") add_attr(topology_m2, USER_ATTR) ACI_TARGET = '(targetattr=%s;%s)' % (TARGET_ATTR, SUBTYPE) ACI_ALLOW = '(version 3.0; acl "test aci for subtypes"; allow (read) ' ACI_SUBJECT = 'userattr = "%s;%s#GROUPDN";)' % (USER_ATTR, SUBTYPE) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT log.info("Add an ACI with attribute subtype") suffix.add('aci', ACI_BODY) def fin(): log.info("Finally, delete an ACI with the '%s' subtype" % SUBTYPE) suffix.remove('aci', ACI_BODY) request.addfinalizer(fin) return ACI_BODY
def test_search_access_should_not_include_read_access(topo, clean, aci_of_user): """ bug 345643 Misc Test 4 search access should not include read access :id:98ab173e-7db8-11e8-a309-8c16451d917b :setup: Standalone Instance :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ assert Domain(topo.standalone, DEFAULT_SUFFIX).present('aci') Domain(topo.standalone, DEFAULT_SUFFIX)\ .add("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr !="userPassword")' '(version 3.0;acl "anonymous access";allow (search)' '(userdn = "ldap:///anyone");)', f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; ' 'acl "allow self write";allow(write) ' 'userdn = "ldap:///self";)', f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; ' 'acl "Allow all admin group"; allow(all) groupdn = "ldap:///cn=Directory ' 'Administrators, {}";)']) conn = Anonymous(topo.standalone).bind() # search_access_should_not_include_read_access suffix = Domain(conn, DEFAULT_SUFFIX) with pytest.raises(AssertionError): assert suffix.present('aci')
def aci_of_user(request, topo): """ :param request: :param topo: """ # Add anonymous access aci ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass aci_list = suffix.get_attr_vals('aci') def finofaci(): """ Removes and Restores ACIs after the test. """ domain = Domain(topo.standalone, DEFAULT_SUFFIX) domain.remove_all('aci') for i in aci_list: domain.add("aci", i) request.addfinalizer(finofaci)
def test_ruv_after_reindex(topo): """Test that the tombstone RUV entry is not corrupted after a reindex task :id: 988c0fab-1905-4dc5-a45d-fbf195843a33 :setup: 2 suppliers :steps: 1. Reindex database 2. Perform some updates 3. Check error log does not have "_entryrdn_insert_key" errors :expectedresults: 1. Success 2. Success 3. Success """ inst = topo.ms['supplier1'] suffix = Domain(inst, "ou=people," + DEFAULT_SUFFIX) backends = Backends(inst) backend = backends.get(DEFAULT_BENAME) # Reindex nsuniqueid backend.reindex(attrs=['nsuniqueid'], wait=True) # Do some updates for idx in range(0, 5): suffix.replace('description', str(idx)) # Check error log for RUV entryrdn errors. Stopping instance forces RUV # to be written and quickly exposes the error inst.stop() assert not inst.searchErrorsLog("entryrdn_insert_key")
def test_hierarchy(topo, _add_user, aci_of_user): """ Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted)) Test that with two targattrfilters in the hierarchy that the general one applies. This is the correct behaviour, even if it's a bit :id:d7ae354a-7aa9-11e8-8b0d-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ ACI_BODY = '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \ 'allow (write) (userdn = "ldap:///anyone") ;)' ACI_BODY1 = '(targattrfilters = "add=title:(title=architect)")(version 3.0; ' \ 'acl "$tet_thistest"; allow (write) (userdn = "ldap:///anyone") ;)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY1) _AddTitleWithRoot(topo, "engineer").add() # aci will allow to add title architect conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) _ModTitleArchitectJeffVedder(topo, "architect", conn).add() # aci will not allow to add title architect with pytest.raises(ldap.INSUFFICIENT_ACCESS): _ModTitleArchitectJeffVedder(topo, "engineer", conn).add()
def create_user(topology_st): """User for binding operation""" users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) users.create( properties={ 'cn': TEST_USER_NAME, 'sn': TEST_USER_NAME, 'userpassword': TEST_USER_PWD, 'mail': '*****@*****.**' % TEST_USER_NAME, 'uid': TEST_USER_NAME, 'uidNumber': '1000', 'gidNumber': '1000', 'homeDirectory': '/home/test' }) # Add anonymous access aci ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass
def _write_aci_staging(topology_m2, mod_type=None): assert mod_type is not None ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % STAGING_DN ACI_ALLOW = "(version 3.0; acl \"write staging entries\"; allow (write)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_m2.ms["master1"], SUFFIX) suffix.set('aci', ACI_BODY, mod_type)
def test_user(request, topo): for demo in ['Product Development', 'Accounting', 'nestedgroup']: OrganizationalUnit(topo.standalone, "ou={},{}".format( demo, DEFAULT_SUFFIX)).create(properties={'ou': demo}) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup') for demo1 in [ 'DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild' ]: uas.create( properties={ 'uid': demo1, 'cn': demo1, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + demo1, 'userPassword': PW_DM }) # Add anonymous access aci ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % ( DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) suffix.add('aci', ANON_ACI) uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup') for demo1 in ['c1', 'CHILD1_GLOBAL']: uas.create( properties={ 'uid': demo1, 'cn': demo1, 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + demo1, 'userPassword': PW_DM }) grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=nestedgroup') for i in [ ('ALLGROUPS_GLOBAL', GROUPA_GLOBAL), ('GROUPA_GLOBAL', GROUPB_GLOBAL), ('GROUPB_GLOBAL', GROUPC_GLOBAL), ('GROUPC_GLOBAL', GROUPD_GLOBAL), ('GROUPD_GLOBAL', GROUPE_GLOBAL), ('GROUPE_GLOBAL', GROUPF_GLOBAL), ('GROUPF_GLOBAL', GROUPG_GLOBAL), ('GROUPG_GLOBAL', GROUPH_GLOBAL), ('GROUPH_GLOBAL', DEEPUSER_GLOBAL) ]: grp.create(properties={ 'cn': i[0], 'ou': 'groups', 'uniquemember': i[1] })
def _write_aci_production(topology_m2, mod_type=None): assert mod_type is not None ACI_TARGET = "(targetattr= \"uid\")(target=\"ldap:///uid=*,%s\")" % PRODUCTION_DN ACI_ALLOW = "(version 3.0; acl \"write production entries\"; allow (write)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_m2.ms["supplier1"], SUFFIX) suffix.set('aci', ACI_BODY, mod_type)
def moddn_setup(topology_m2): """Creates - a staging DIT - a production DIT - add accounts in staging DIT - enable ACL logging (commented for performance reason) """ m1 = topology_m2.ms["supplier1"] o_roles = OrganizationalRoles(m1, SUFFIX) m1.log.info("\n\n######## INITIALIZATION ########\n") # entry used to bind with m1.log.info("Add {}".format(BIND_DN)) user = UserAccount(m1, BIND_DN) user_props = TEST_USER_PROPERTIES.copy() user_props.update({'sn': BIND_RDN, 'cn': BIND_RDN, 'uid': BIND_RDN, 'userpassword': BIND_PW}) user.create(properties=user_props, basedn=SUFFIX) # Add anonymous read aci ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = " userdn = \"ldap:///anyone\";)" ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(m1, SUFFIX) suffix.add('aci', ACI_BODY) # DIT for staging m1.log.info("Add {}".format(STAGING_DN)) o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"}) # DIT for production m1.log.info("Add {}".format(PRODUCTION_DN)) o_roles.create(properties={'cn': PRODUCTION_CN, 'description': "production DIT"}) # DIT for production/except m1.log.info("Add {}".format(PROD_EXCEPT_DN)) o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN) o_roles_prod.create(properties={'cn': EXCEPT_CN, 'description': "production except DIT"}) # enable acl error logging # mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')] # m1.modify_s(DN_CONFIG, mod) # topology_m2.ms["supplier2"].modify_s(DN_CONFIG, mod) # add dummy entries in the staging DIT staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN)) user_props = TEST_USER_PROPERTIES.copy() for cpt in range(MAX_ACCOUNTS): name = "{}{}".format(NEW_ACCOUNT, cpt) user_props.update({'sn': name, 'cn': name, 'uid': name}) staging_users.create(properties=user_props)
def new_suffixes(topo): """Create new suffix, backend and mapping tree""" for num in range(1, 4): backends = Backends(topo.ins["standalone{}".format(num)]) backends.create(properties={ BACKEND_SUFFIX: NEW_SUFFIX, BACKEND_NAME: NEW_BACKEND }) domain = Domain(topo.ins["standalone{}".format(num)], NEW_SUFFIX) domain.create(properties={'dc': 'test', 'description': NEW_SUFFIX})
def _moddn_aci_from_production_to_staging(topology_m2, mod_type=None): assert mod_type is not None ACI_TARGET = "(target_from = \"ldap:///%s\") (target_to = \"ldap:///%s\")" % ( PRODUCTION_DN, STAGING_DN) ACI_ALLOW = "(version 3.0; acl \"MODDN from production to staging\"; allow (moddn)" ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topology_m2.ms["supplier1"], SUFFIX) suffix.set('aci', ACI_BODY, mod_type) _write_aci_production(topology_m2, mod_type=mod_type)
def assert_data_present(inst): # Do we have the backend marker? d = Domain(inst, DEFAULT_SUFFIX) try: desc = d.get_attr_val_utf8('description') if desc == TEST_MARKER: return except: # Just reset everything. pass # Reset the backends bes = Backends(inst) try: be = bes.get(DEFAULT_SUFFIX) be.delete() except: pass be = bes.create(properties={ 'nsslapd-suffix': DEFAULT_SUFFIX, 'cn': 'userRoot', }) be.create_sample_entries('001004002') # Load our data # We can't use dbgen as that relies on local access :( # Add 40,000 groups groups = Groups(inst, DEFAULT_SUFFIX) for i in range(1, GROUP_MAX): rdn = 'group_{0:07d}'.format(i) groups.create(properties={ 'cn': rdn, }) # Add 60,000 users users = nsUserAccounts(inst, DEFAULT_SUFFIX) for i in range(1, USER_MAX): rdn = 'user_{0:07d}'.format(i) users.create( properties={ 'uid': rdn, 'cn': rdn, 'displayName': rdn, 'uidNumber': '%s' % i, 'gidNumber': '%s' % i, 'homeDirectory': '/home/%s' % rdn, 'userPassword': rdn, }) # Add the marker d.replace('description', TEST_MARKER)
def test_mapping_tree_flipped_components(topology): inst = topology.standalone # First create two Backends, without mapping trees. be1 = create_backend(inst, 'userRootA', 'dc=example,dc=com') be2 = create_backend(inst, 'userRootB', 'dc=com,dc=example') # Okay, now we create the mapping trees for these backends, and we *invert* them in the parent config setting mts = MappingTrees(inst) mtb = mts.create( properties={ 'cn': 'dc=example,dc=com', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootA', }) mta = mts.create( properties={ 'cn': 'dc=com,dc=example', 'nsslapd-state': 'backend', 'nsslapd-backend': 'userRootB', }) dc_ex = Domain(inst, dn='dc=example,dc=com') assert dc_ex.exists() dc_ab = Domain(inst, dn='dc=com,dc=example') assert dc_ab.exists() # Restart and check again inst.restart() assert dc_ex.exists() assert dc_ab.exists()
def add_anon_aci_access(topo, request): # Add anonymous access aci ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX) ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)" ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)" ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT suffix = Domain(topo.standalone, DEFAULT_SUFFIX) try: suffix.add('aci', ANON_ACI) except ldap.TYPE_OR_VALUE_EXISTS: pass def fin(): suffix.delete() request.addfinalizer(fin)
def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user): """ User cannot access the data at all as per the ACI. :id: 75cdac5e-7ac5-11e8-968a-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{TODAY_KEY}" ' f'and dayofweek = "$NEW_DATE" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user): """ User can access the data one day per week as per the ACI. :id: 7131dc88-7ac5-11e8-acc2-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ today_1 = time.strftime("%c").split()[0] # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{TODAY_KEY}" ' f'and dayofweek = \'{today_1}\' ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user): """ User can access the data EVERYDAY_KEY as per the ACI. :id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; ' f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and ' f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY) org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user): """ User can access the data only in the afternoon as per the ACI. :id: 63eb5b1c-7ac5-11e8-bd46-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Timeofday aci"; ' f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" ' f'and timeofday > \'1200\' ;)') # create a new connection for the test conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY) if datetime.now().hour < 12: with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1") else: org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user): """ User can access the data at any time as per the ACI. :id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "Timeofday aci"; ' f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and ' f'(timeofday >= "0000" and timeofday <= "2359") ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY) org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2( topo, add_user, aci_of_user): """User cannot access the data when connecting from an unauthorized network as per the ACI. :id: 396bdd44-7ac5-11e8-8014-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NETSCAPEDNS_KEY}" ' f'and dnsalias != "www.redhat.com" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM) # Perform Operation OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users( topo, test_uer, aci_of_user): """Search Test 25 Deny search access to userdn with LDAP URL matching all users :id: b37f72ae-6e12-11e8-9c98-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)' ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format( DEFAULT_SUFFIX) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all users LDAP URL matching all users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block all users LDAP URL matching all users assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user): """Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI. :id: 41b467be-7ac5-11e8-89a3-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")' f'(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NODNS_KEY}" and ' f'dnsalias = "RAP.rock.SALSA.house.COM" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, DNS_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_any_machine( topo, add_user, aci_of_user): """User can access the data when connecting from any machine as per the ACI. :id: 28cbc008-7ac5-11e8-934e-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX)\ .add("aci", f'(target ="ldap:///{DNS_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, FULLDNS_KEY).bind(PW_DM) # Perform Operation OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_some_network_only( topo, add_user, aci_of_user): """User can access the data when connecting from some network only as per the ACI. :id: 3098512a-7ac5-11e8-af85-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ dns_name = socket.getfqdn() # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX)\ .add("aci", f'(target = "ldap:///{DNS_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NETSCAPEDNS_KEY}" ' f'and dns = "{dns_name}" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM) # Perform Operation OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user): """Search Test 23 Deny search access to userdn with LDAP URL :id: 94f082d8-6e12-11e8-be72-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX) ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)' ACI_SUBJECT = ('userdn="ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)) ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445') conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block all users having roomnumber=3445 assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)')) # with root there is no aci blockage UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')
def test_user_cannot_access_the_data_if_not_from_a_certain_domain( topo, add_user, aci_of_user): """User cannot access the data if not from a certain domain as per the ACI. :id: 3d658972-7ac5-11e8-930f-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")' f'(version 3.0; aci "DNS aci"; allow(all) ' f'userdn = "ldap:///{NODNS_KEY}" ' f'and dns = "RAP.rock.SALSA.house.COM" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user): """ User NoIP cannot assess the data as per the ACI. :id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b :customerscenario: True :setup: Standalone Server :steps: 1. Add test entry 2. Add ACI 3. User should follow ACI role :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed """ # Add ACI Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")' f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) ' f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)') # Create a new connection for this test. conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM) # Perform Operation org = OrganizationalUnit(conn, IP_OU_KEY) with pytest.raises(ldap.INSUFFICIENT_ACCESS): org.replace("seeAlso", "cn=1")
def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user, ip_addr): """User can modify the data when accessing the server from the allowed IPv4 and IPv6 addresses :id: 461e761e-7ac5-11e8-9ae4-8c16451d917b :customerscenario: True :parametrized: yes :setup: Standalone Server :steps: 1. Add ACI that has both IPv4 and IPv6 2. Connect from one of the IPs allowed in ACI 3. Modify an attribute :expectedresults: 1. ACI should be added 2. Conection should be successful 3. Operation should be successful """ # Add ACI that contains both IPv4 and IPv6 Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr="*") ' f'(version 3.0; aci "IP aci"; allow(all) ' f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)') # Create a new connection for this test. conn = UserAccount(topo.standalone, FULLIP_KEY).bind( PW_DM, uri=f'ldap://{ip_addr}:{topo.standalone.port}') # Perform Operation OrganizationalUnit(conn, IP_OU_KEY).replace("seeAlso", "cn=1")
def create_base_domain(instance, basedn): """Create the base domain object""" domain = Domain(instance, dn=basedn) # Explode the dn to get the first bit. avas = dn.str2dn(basedn) dc_ava = avas[0][0][1] domain.create(properties={ # I think in python 2 this forces unicode return ... 'dc': dc_ava, 'description': basedn, }) # ACI can be added later according to your needs return domain