def automember_fixture(topo, request):
# Create group
groups = []
group_obj = Groups(topo.standalone, DEFAULT_SUFFIX)
groups.append(group_obj.create(properties={'cn': 'testgroup'}))
groups.append(group_obj.create(properties={'cn': 'testgroup2'}))
groups.append(group_obj.create(properties={'cn': 'testgroup3'}))
# Create test user
user_accts = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
user = user_accts.create_test_user()
# Create automember definitions and regex rules
automember_prop = {
'cn': 'testgroup_definition',
'autoMemberScope': DEFAULT_SUFFIX,
'autoMemberFilter': 'objectclass=posixaccount',
'autoMemberDefaultGroup': groups[0].dn,
'autoMemberGroupingAttr': 'member:dn',
}
automembers = AutoMembershipDefinitions(topo.standalone)
auto_def = automembers.create(properties=automember_prop)
auto_def.add_regex_rule("regex1", groups[1].dn, include_regex=['cn=mark.*'])
auto_def.add_regex_rule("regex2", groups[2].dn, include_regex=['cn=simon.*'])
# Enable plugin
automemberplugin = AutoMembershipPlugin(topo.standalone)
automemberplugin.enable()
topo.standalone.restart()
return (user, groups)
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
"""Non-regression test for BUG 326000: MemberURL needs to be normalized
:id: a5d172e6-7db8-11e8-aca7-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ou_ou = OrganizationalUnit(topo.standalone,
"ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
ou_ou.set(
'aci', '(targetattr= *)'
'(version 3.0; acl "tester"; allow(all) '
'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(
DEFAULT_SUFFIX))
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE')
groups.create(
properties={
"cn":
"DYNGROUP",
"description":
"DYNGROUP",
'objectClass':
'groupOfURLS',
'memberURL':
"ldap:///ou=PEOPLE,{}??sub?"
"(uid=test_user_2)".format(DEFAULT_SUFFIX)
})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]:
user = uas.create_test_user(uid=demo1[0], gid=demo1[0])
user.replace_many(('description', demo1[1]), ('userPassword', PW_DM))
##with normal aci
conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM)
harry = UserAccount(conn, uas.list()[1].dn)
harry.add('sn', 'FRED')
##with abnomal aci
dygrp = Group(topo.standalone, DYNGROUP)
dygrp.remove(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX))
dygrp.add(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX))
harry.add('sn', 'Not FRED')
for i in uas.list():
i.delete()
def add_group(server, cn, subtree):
group = Groups(server, subtree, rdn=None)
group.create(
properties={
'cn': "%s" % cn,
'member':
['uid=test_m1,%s' % SUBTREE_1,
'uid=test_m2,%s' % SUBTREE_1],
'description': 'group'
})
def assert_data_present(inst):
# Do we have the backend marker?
d = Domain(inst, DEFAULT_SUFFIX)
try:
desc = d.get_attr_val_utf8('description')
if desc == TEST_MARKER:
return
except:
# Just reset everything.
pass
# Reset the backends
bes = Backends(inst)
try:
be = bes.get(DEFAULT_SUFFIX)
be.delete()
except:
pass
be = bes.create(properties={
'nsslapd-suffix': DEFAULT_SUFFIX,
'cn': 'userRoot',
})
be.create_sample_entries('001004002')
# Load our data
# We can't use dbgen as that relies on local access :(
# Add 40,000 groups
groups = Groups(inst, DEFAULT_SUFFIX)
for i in range(1, GROUP_MAX):
rdn = 'group_{0:07d}'.format(i)
groups.create(properties={
'cn': rdn,
})
# Add 60,000 users
users = nsUserAccounts(inst, DEFAULT_SUFFIX)
for i in range(1, USER_MAX):
rdn = 'user_{0:07d}'.format(i)
users.create(
properties={
'uid': rdn,
'cn': rdn,
'displayName': rdn,
'uidNumber': '%s' % i,
'gidNumber': '%s' % i,
'homeDirectory': '/home/%s' % rdn,
'userPassword': rdn,
})
# Add the marker
d.replace('description', TEST_MARKER)
def test_dsidm_config_sssd(topology_st, set_log_file):
""" Test dsidm creation of sssd.conf content
:id: 77812ba6-b133-40f4-91a7-13309618f24d
:setup: Standalone instance
:steps:
1. Run dsidm client_config sssd.conf
2. Enable MemberOfPlugin
3. Run dsidm client_config sssd.conf with allowed group
:expectedresults:
1. Success
2. Success
3. Success
"""
standalone = topology_st.standalone
sssd_content_list = [
'Generated by 389 Directory Server - dsidm', 'id_provider = ldap',
'auth_provider = ldap', 'access_provider = ldap',
'chpass_provider = ldap', 'ldap_search_base = ' + DEFAULT_SUFFIX,
'ldap_uri = ' + standalone.ldapuri, 'ldap_user_member_of = memberof',
'ignore_group_members = False', '[sssd]',
'services = nss, pam, ssh, sudo', 'config_file_version = 2',
'domains = ldap', '[nss]', 'homedir_substring = /home'
]
schema = 'ldap_schema = rfc2307'
args = FakeArgs()
args.allowed_group = None
log.info('Create sssd.conf content')
sssd_conf(standalone, DEFAULT_SUFFIX, log, args)
log.info('Check if config creation was successful')
check_value_in_log_and_reset(sssd_content_list, check_value=schema)
log.info('Now we test allowed_group argument')
log.info('Enable MemberOf plugin')
plugin = MemberOfPlugin(standalone)
plugin.enable()
standalone.restart()
log.info('Create test group')
groups = Groups(standalone, DEFAULT_SUFFIX)
test_group = groups.create(properties={
"cn": "new_group",
"description": "testgroup"
})
log.info('Create sssd.conf content with allowed group')
filter_msg = [
'ldap_access_filter = (memberOf={})'.format(test_group.dn),
'ldap_schema = rfc2307bis'
]
args.allowed_group = test_group.rdn
sssd_conf(standalone, DEFAULT_SUFFIX, log, args)
log.info('Check if config creation was successful')
check_value_in_log_and_reset(sssd_content_list, filter_msg)
def add_group_and_perform_user_operations(topology_st):
topo = topology_st.standalone
# Add the automember group
groups = Groups(topo, DEFAULT_SUFFIX)
group = groups.create(properties={'cn': 'group'})
ous = OrganizationalUnits(topo, DEFAULT_SUFFIX)
branch1 = ous.create(properties={'ou': 'branch1'})
# Add the automember config entry
am_configs = AutoMembershipDefinitions(topo)
am_config = am_configs.create(properties={'cn': 'config',
'autoMemberScope': branch1.dn,
'autoMemberFilter': 'objectclass=top',
'autoMemberDefaultGroup': group.dn,
'autoMemberGroupingAttr': 'member:dn'})
# Add a user that should get added to the group
users = UserAccounts(topo, DEFAULT_SUFFIX, rdn='ou={}'.format(branch1.rdn))
test_user = users.create_test_user(uid=777)
# Check if created user is group member
assert test_user.dn in group.list_members()
log.info('Renaming user')
test_user.rename('uid=new_test_user_777', newsuperior=SUFFIX)
log.info('Delete the user')
delete_obj(test_user)
log.info('Delete automember entry, org. unit and group for the next test')
delete_obj(am_config)
delete_obj(branch1)
delete_obj(group)
def add_a_group_with_users(request, topo):
"""
Add a group and users, which are members of this group.
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None)
group = groups.create(properties={'cn': 'test_group'})
users_list = []
users_num = 100
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
for num in range(users_num):
USER_NAME = f'test_{num}'
user = users.create(
properties={
'uid': USER_NAME,
'sn': USER_NAME,
'cn': USER_NAME,
'uidNumber': f'{num}',
'gidNumber': f'{num}',
'homeDirectory': f'/home/{USER_NAME}'
})
users_list.append(user)
group.add_member(user.dn)
def fin():
"""
Removes group and users.
"""
# If the server crashed, start it again to do the cleanup
if not topo.standalone.status():
topo.standalone.start()
for user in users_list:
user.delete()
group.delete()
request.addfinalizer(fin)
def add_member_and_group(server, cn, group_cn, subtree):
users = UserAccounts(server, subtree, rdn=None)
users.create(
properties={
'uid': f'test_{cn}',
'cn': f'test_{cn}',
'sn': f'test_{cn}',
'description': 'member',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/testuser'
})
group = Groups(server, subtree, rdn=None)
group.create(
properties={
'cn': group_cn,
'member': f'uid=test_{cn},{subtree}',
'description': 'group'
})
def test_require_internal_index(topo):
"""Test nsslapd-ignore-virtual-attrs configuration attribute
:id: 22b94f30-59e3-4f27-89a1-c4f4be036f7f
:setup: Standalone instance
:steps:
1. Set "nsslapd-require-internalop-index" to "on"
2. Enable RI plugin, and configure it to use an attribute that is not indexed
3. Create a user and add it a group
4. Deleting user should be rejected as the RI plugin issues an
unindexed internal search
:expectedresults:
1. Success
2. Success
3. Success
4. Success
"""
# Set the config
be_insts = Backends(topo.standalone).list()
for be in be_insts:
if be.get_attr_val_utf8_l('nsslapd-suffix') == DEFAULT_SUFFIX:
be.set('nsslapd-require-index', 'off')
be.set('nsslapd-require-internalop-index', 'on')
# Configure RI plugin
rip = ReferentialIntegrityPlugin(topo.standalone)
rip.set('referint-membership-attr', 'description')
rip.enable()
# Create a bunch of users
db_cfg = DatabaseConfig(topo.standalone)
db_cfg.set([('nsslapd-idlistscanlimit', '100')])
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in range(102, 202):
users.create_test_user(uid=i)
# Create user and group
user = users.create(properties={
'uid': 'indexuser',
'cn' : 'indexuser',
'sn' : 'user',
'uidNumber' : '1010',
'gidNumber' : '2010',
'homeDirectory' : '/home/indexuser'
})
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={'cn': 'group',
'member': user.dn})
# Restart the server
topo.standalone.restart()
# Deletion of user should be rejected
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
user.delete()
def test_users_and_groups(topology):
"""
Ensure that user and group management works as expected.
"""
if DEBUGGING:
# Add debugging steps(if any)...
pass
users = UserAccounts(topology.standalone, DEFAULT_SUFFIX)
groups = Groups(topology.standalone, DEFAULT_SUFFIX)
# No user should exist
assert(len(users.list()) == 0)
# Create a user
users.create(properties=TEST_USER_PROPERTIES)
assert(len(users.list()) == 1)
testuser = users.get('testuser')
# Set password
testuser.set('userPassword', 'password')
# bind
conn = testuser.bind('password')
conn.unbind_s()
# create group
group_properties = {
'cn' : 'group1',
'description' : 'testgroup'
}
group = groups.create(properties=group_properties)
# user shouldn't be a member
assert(not group.is_member(testuser.dn))
# add user as member
group.add_member(testuser.dn)
# check they are a member
assert(group.is_member(testuser.dn))
# remove user from group
group.remove_member(testuser.dn)
# check they are not a member
assert(not group.is_member(testuser.dn))
group.delete()
testuser.delete()
log.info('Test PASSED')
def test_user_compare(topology):
"""
Testing compare function
1. Testing comparison of two different users.
2. Testing comparison of 'str' object with itself, should raise 'ValueError'.
3. Testing comparison of user with similar user (different object id).
4. Testing comparison of user with group.
"""
if DEBUGGING:
# Add debugging steps(if any)...
pass
users = UserAccounts(topology.standalone, DEFAULT_SUFFIX)
groups = Groups(topology.standalone, DEFAULT_SUFFIX)
# Create 1st user
user1_properties = {
'uid': 'testuser1',
'cn': 'testuser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/testuser1'
}
users.create(properties=user1_properties)
testuser1 = users.get('testuser1')
# Create 2nd user
user2_properties = {
'uid': 'testuser2',
'cn': 'testuser2',
'sn': 'user',
'uidNumber': '1001',
'gidNumber': '2002',
'homeDirectory': '/home/testuser2'
}
users.create(properties=user2_properties)
testuser2 = users.get('testuser2')
# create group
group_properties = {'cn': 'group1', 'description': 'testgroup'}
testuser1_copy = users.get("testuser1")
group = groups.create(properties=group_properties)
assert (UserAccount.compare(testuser1, testuser2) == False)
with pytest.raises(ValueError):
UserAccount.compare("test_str_object", "test_str_object")
assert (UserAccount.compare(testuser1, testuser1_copy) == True)
assert (UserAccount.compare(testuser1, group) == False)
log.info("Test PASSED")
def test_betxn_modrdn_memberof_cache_corruption(topology_st):
"""Test modrdn operations and memberOf be txn post op failures
:id: 70d0b96e-b693-4bf7-bbf5-102a66ac5994
:setup: Standalone instance
:steps: 1. Enable and configure memberOf plugin
2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer"
3. Create group and user outside of memberOf plugin scope
4. Do modrdn to move group into scope
5. Do modrdn to move group into scope (again)
:expectedresults:
1. memberOf plugin plugin should be ON
2. Set memberofgroupattr="member" and memberofAutoAddOC="nsContainer" should PASS
3. Creating group and user should PASS
4. Modrdn should fail with objectclass violation
5. Second modrdn should also fail with objectclass violation
"""
peoplebase = 'ou=people,%s' % DEFAULT_SUFFIX
memberof = MemberOfPlugin(topology_st.standalone)
memberof.enable()
memberof.set_autoaddoc('nsContainer') # Bad OC
memberof.set('memberOfEntryScope', peoplebase)
memberof.set('memberOfAllBackends', 'on')
topology_st.standalone.restart()
groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
'cn': 'group',
})
# Create user and add it to group
users = UserAccounts(topology_st.standalone, basedn=DEFAULT_SUFFIX)
user = users.ensure_state(properties=TEST_USER_PROPERTIES)
if not ds_is_older('1.3.7'):
user.remove('objectClass', 'nsMemberOf')
group.add_member(user.dn)
# Attempt modrdn that should fail, but the original entry should stay in the cache
with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
group.rename('cn=group_to_people', newsuperior=peoplebase)
# Should fail, but not with NO_SUCH_OBJECT as the original entry should still be in the cache
with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
group.rename('cn=group_to_people', newsuperior=peoplebase)
# Done
log.info('test_betxn_modrdn_memberof: PASSED')
def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user):
"""Search Test 6 Deny read access to multiple groupdn's
:id: 8f3ba440-6e11-11e8-8b20-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add_member(USER_ANANDA)
posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX)
posix_group = posix_groups.create(properties={
"cn": "group2",
"description": "testgroup2",
"gidNumber": "2000",
})
posix_group.add_member(USER_ANUJ)
ACI_TARGET = '(targetattr="*")'
ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format(
DEFAULT_SUFFIX)
ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 5 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group = groups.get("group1")
group.delete()
posix_groups.get("group2")
posix_group.delete()
def test_scheme_violation_errors_logged(topo_m2):
"""Check that ERR messages are verbose enough, if a member entry
doesn't have the appropriate objectclass to support 'memberof' attribute
:id: e2af0aaa-447e-4e85-a5ce-57ae66260d0b
:setup: Standalone instance
:steps:
1. Enable memberofPlugin and set autoaddoc to nsMemberOf
2. Restart the instance
3. Add a user without nsMemberOf attribute
4. Create a group and add the user to the group
5. Check that user has memberOf attribute
6. Check the error log for ".*oc_check_allowed_sv.*USER_DN.*memberOf.*not allowed.*"
and ".*schema violation caught - repair operation.*" patterns
:expectedresults:
1. Should be successful
2. Should be successful
3. Should be successful
4. Should be successful
5. User should have the attribute
6. Errors should be logged
"""
inst = topo_m2.ms["master1"]
memberof = MemberOfPlugin(inst)
memberof.enable()
memberof.set_autoaddoc('nsMemberOf')
inst.restart()
users = UserAccounts(inst, SUFFIX)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'uid': USER_CN, 'cn': USER_CN, 'sn': USER_CN})
testuser = users.create(properties=user_props)
testuser.remove('objectclass', 'nsMemberOf')
groups = Groups(inst, SUFFIX)
testgroup = groups.create(properties={'cn': GROUP_CN})
testgroup.add('member', testuser.dn)
user_memberof_attr = testuser.get_attr_val_utf8('memberof')
assert user_memberof_attr
log.info('memberOf attr value - {}'.format(user_memberof_attr))
pattern = ".*oc_check_allowed_sv.*{}.*memberOf.*not allowed.*".format(
testuser.dn)
log.info("pattern = %s" % pattern)
assert inst.ds_error_log.match(pattern)
pattern = ".*schema violation caught - repair operation.*"
assert inst.ds_error_log.match(pattern)
def setup(topology_st, request):
"""
Enable USN plug-in
Enable MEMBEROF plugin
Add test entries
"""
inst = topology_st.standalone
log.info("Enable the USN plugin...")
plugin = USNPlugin(inst)
plugin.enable()
log.info("Enable the MEMBEROF plugin...")
plugin = MemberOfPlugin(inst)
plugin.enable()
inst.restart()
users_list = []
log.info("Adding test entries...")
users = UserAccounts(inst, DEFAULT_SUFFIX)
for id in range(USER_NUM):
user = users.create_test_user(uid=id)
users_list.append(user)
groups_list = []
log.info("Adding test groups...")
groups = Groups(inst, DEFAULT_SUFFIX)
for id in range(GROUP_NUM):
group = groups.create(properties={'cn': f'test_group{id}'})
groups_list.append(group)
def fin():
for user in users_list:
try:
user.delete()
except ldap.NO_SUCH_OBJECT:
pass
for group in groups_list:
try:
group.delete()
except ldap.NO_SUCH_OBJECT:
pass
request.addfinalizer(fin)
return {"users": users_list,
"groups": groups_list}
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree):
"""
Modify Test 8 Allow selfwrite access to anyone
:id:8b3becf0-7abf-11e8-ac34-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow selfwrite access to anyone
groups = Groups(conn, DEFAULT_SUFFIX)
groups.list()[0].add_member(USER_DELADD)
group.delete()
def test_group_aci_entry_exists(topo,create_user):
"""This test case adds the groupdn aci and check ger contains 'vadn'
:id: 1d73f715-e4b3-4ed6-a93b-9d529898ca78
:setup: Standalone instance
:steps:
1. Create a group.
2. Add the user as member into the group.
3. Apply the ACI which will give the group full rights.
4. Check entryLevelRights value for entries.
5. Check 'vadn' is in the entryLevelRights.
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
5. It should pass
"""
(test_user,request_ctrl) = create_user
log.info('Adding group {}'.format(TEST_GROUP_NAME))
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None)
group_properties = {
'cn': TEST_GROUP_NAME,
'description': 'testgroup'}
test_group = groups.create(properties=group_properties)
test_group.add_member(test_user.dn)
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
ACI_TARGET = '(targetattr="*")'
ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")'
ACI_ALLOW = '(version 3.0; acl "give group1 full rights"; allow (all) '
ACI_SUBJECT = 'groupdn = "ldap:///{}";)'.format(test_group.dn)
ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT
log.info("Add an ACI granting add access to a user matching the groupdn")
suffix.add('aci', ACI_BODY)
entries = topo.standalone.search_ext('{}'.format(test_user.dn),
ldap.SCOPE_SUBTREE,
"objectclass=person",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries)
for dn, attrs in rdata:
topo.standalone.log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topo.standalone.log.info("######## entryLevelRights: %r" % value)
assert b'vadn' in value
def test_mul_derive_mult_dn(topology_st):
"""Test that with multiple cn we derive rdn correctly.
:id: 1e1f5483-bfad-4f73-9dfb-aec54d08b268
:setup: standalone instance
:steps: 1. Create with multiple cn
:expectedresults: 1. Create success
"""
gps = Groups(topology_st.standalone, DEFAULT_SUFFIX)
gp = gps.create(properties={
'cn': ['test_mul_derive_mult_dn', 'test_mul_derive_single_dn'],
})
assert gp.dn.lower(
) == f'cn=test_mul_derive_mult_dn,ou=groups,{DEFAULT_SUFFIX}'.lower()
gp.delete()
def test_mul_derive_single_dn(topology_st):
"""Test that with single cn we derive rdn correctly.
:id: f34f271a-ca57-4aa0-905a-b5392ce06c79
:setup: standalone instance
:steps: 1. Create with single cn
:expectedresults: 1. Create success
"""
gps = Groups(topology_st.standalone, DEFAULT_SUFFIX)
gp = gps.create(properties={
'cn': ['test_mul_derive_single_dn'],
})
assert gp.dn.lower(
) == f'cn=test_mul_derive_single_dn,ou=groups,{DEFAULT_SUFFIX}'.lower()
gp.delete()
def test_betxn_memberof(topology_st):
"""Test PLUGIN_MEMBER_OF plugin
:id: 70d0b96e-b693-4bf7-bbf5-102a66ac5993
:setup: Standalone instance and enabled dynamic plugins
:steps: 1. Enable and configure memberOf plugin
2. Set memberofgroupattr="member" and memberofAutoAddOC="referral"
3. Add two test groups - group1 and group2
4. Add group2 to group1
5. Add group1 to group2
:expectedresults:
1. memberOf plugin plugin should be ON
2. Set memberofgroupattr="member" and memberofAutoAddOC="referral" should PASS
3. Add operation should PASS
4. Add operation should FAIL
5. Add operation should FAIL
"""
memberof = MemberOfPlugin(topology_st.standalone)
memberof.enable()
memberof.set_autoaddoc('referral')
topology_st.standalone.restart()
groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
group1 = groups.create(properties={'cn': 'group1'})
group2 = groups.create(properties={'cn': 'group2'})
# We may need to mod groups to not have nsMemberOf ... ?
if not ds_is_older('1.3.7'):
group1.remove('objectClass', 'nsMemberOf')
group2.remove('objectClass', 'nsMemberOf')
# Add group2 to group1 - it should fail with objectclass violation
with pytest.raises(ldap.OBJECT_CLASS_VIOLATION):
group1.add_member(group2.dn)
# verify entry cache reflects the current/correct state of group1
assert not group1.is_member(group2.dn)
# Done
log.info('test_betxn_memberof: PASSED')
def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url(
topo, test_uer, aci_of_user):
"""Search Test 27 Deny read access to dynamic group with host:port set on LDAP URL
:id: ceb62158-6e12-11e8-8c36-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add('objectClass', 'groupOfURLS')
group.set(
'memberURL',
"ldap:///localhost:38901/{}??sub?(&(ou=Accounting)(cn=Sam*))".format(
DEFAULT_SUFFIX))
group.add_member(USER_ANANDA)
ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown"
ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(
DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()
def test_allow_delete_access_not_to_dynamic_group(topo, _add_user,
_aci_of_user):
"""
Test to Allow delete access to != dynamic group
:id: 14ffa452-68ed-11e8-a60d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI that delete access to != dynamic group
3. Delete something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should not succeed
4. Delete operation for ACI should succeed
"""
# Create dynamic group
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add("objectclass", "groupOfURLs")
group.add(
"memberURL",
f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))'
)
# Set ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
f'(targetattr=*)(version 3.0; acl "$tet_thistest"; '
f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
# Perform Allow delete access to != dynamic group
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user,
_aci_of_user, request):
"""Test to Allow delete access to dynamic group
:id: 010a4f20-752a-4173-b763-f520c7a85b82
:setup: server
:steps:
1. Add test entry
2. Add ACI that Allow delete privilege to dynamic group
3. Delete something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should succeed
4. Delete operation for ACI should succeed
"""
# Create dynamic group
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add("objectclass", "groupOfURLs")
group.add(
"memberURL",
f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))'
)
# Set ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; '
f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Perform Allow delete access to dynamic group
UserAccount(conn, USER_DELADD).delete()
def automember_fixture(topo, request):
# Create group
group_obj = Groups(topo.standalone, DEFAULT_SUFFIX)
automem_group = group_obj.create(properties={'cn': 'testgroup'})
# Create users
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
NUM_USERS = 1000
for num in range(NUM_USERS):
num_ran = int(round(num))
USER_NAME = 'test%05d' % num_ran
users.create(
properties={
'uid': USER_NAME,
'sn': USER_NAME,
'cn': USER_NAME,
'uidNumber': '%s' % num_ran,
'gidNumber': '%s' % num_ran,
'homeDirectory': '/home/%s' % USER_NAME,
'mail': '*****@*****.**' % USER_NAME,
'userpassword': '******' % num_ran,
})
# Create automember definitions and regex rules
automember_prop = {
'cn': 'testgroup_definition',
'autoMemberScope': DEFAULT_SUFFIX,
'autoMemberFilter': 'objectclass=posixaccount',
'autoMemberDefaultGroup': automem_group.dn,
'autoMemberGroupingAttr': 'member:dn',
}
automembers = AutoMembershipDefinitions(topo.standalone)
auto_def = automembers.create(properties=automember_prop)
auto_def.add_regex_rule("regex1",
automem_group.dn,
include_regex=['uid=.*'])
# Enable plugin
automemberplugin = AutoMembershipPlugin(topo.standalone)
automemberplugin.enable()
topo.standalone.restart()
def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user):
"""Search Test 26 Deny read access to a dynamic group
:id: c0c5290e-6e12-11e8-a900-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group_properties = {"cn": "group1", "description": "testgroup"}
group = groups.create(properties=group_properties)
group.add('objectClass', 'groupOfURLS')
group.set(
'memberURL',
"ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX))
group.add_member(USER_ANANDA)
ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format(
DEFAULT_SUFFIX)
ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown"
ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(
DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block all 'memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# USER_ANUJ is not a member
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()
def test_mul_explicit_rdn(topology_st):
"""Test that with multiple cn and an explicit rdn, we use the rdn
:id: b39ef204-45c0-4a74-9b59-b4ac1199d78c
:setup: standalone instance
:steps: 1. Create with mulitple cn and rdn
:expectedresults: 1. Create success
"""
# Create with an explicit rdn value, given to the properties/rdn
gps = Groups(topology_st.standalone, DEFAULT_SUFFIX)
gp = gps.create(
'cn=test_mul_explicit_rdn',
properties={
'cn': ['test_mul_explicit_rdn', 'other_cn_test_mul_explicit_rdn'],
})
assert gp.dn.lower(
) == f'cn=test_mul_explicit_rdn,ou=groups,{DEFAULT_SUFFIX}'.lower()
gp.delete()
def test_deny_read_access_to_dynamic_group_two(topo, test_uer, aci_of_user):
"""
Search Test 29 Deny read access to != dynamic group
:id: eae2a6c6-6e12-11e8-80f3-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group_properties = {"cn": "group1",
"description": "testgroup"
}
group = groups.create(properties=group_properties)
group.add('objectClass', 'groupofuniquenames')
group.set('uniquemember', [USER_ANANDA,USER_ANUJ])
ACI_TARGET = '(targetattr = "*")'
ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read) ' % "Unknown"
ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";)
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
# with root there is no aci blockage
assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()
def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user):
"""
Test to Allow delete access to != groupdn
:id: f58fc8b0-68e5-11e8-9313-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI that allows groupdn not to delete some userdn
3. Delete something using test USER_DELADD belong to test group
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should not succeed
4. Delete operation for ACI should succeed
"""
# Create group
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add_member(USER_WITH_ACI_DELADD)
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete)'
aci_subject = f'groupdn!="ldap:///{group.dn}";)'
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
# Perform delete operation
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def test_allow_delete_access_to_groupdn(topo, _add_user, _aci_of_user):
"""
Test allow delete access to groupdn
:id: 7cf15992-68ad-11e8-85af-54e1ad30572c
:setup: topo.standalone
:steps:
1. Add test entry
2. Add ACI that allows groupdn to delete
3. Delete something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Delete operation should succeed
4. Delete operation for ACI should succeed
"""
# Create Group and add member
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add_member(USER_WITH_ACI_DELADD)
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete) '
aci_subject = f'groupdn="ldap:///{group.dn}";)'
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Perform delete operation
for i in [USER_DELADD, USER_WITH_ACI_DELADD]:
UserAccount(conn, i).delete()
def automember_fixture(topo, request):
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={'cn': 'testgroup'})
automemberplugin = AutoMembershipPlugin(topo.standalone)
automemberplugin.enable()
topo.standalone.restart()
automember_prop = {
'cn': 'testgroup_definition',
'autoMemberScope': 'ou=People,' + DEFAULT_SUFFIX,
'autoMemberFilter': 'objectclass=*',
'autoMemberDefaultGroup': group.dn,
'autoMemberGroupingAttr': 'member:dn',
}
automembers = AutoMembershipDefinitions(topo.standalone, "cn=Auto Membership Plugin,cn=plugins,cn=config")
automember = automembers.create(properties=automember_prop)
return (group, automembers, automember)
