def create_user(topology_st):
"""User for binding operation"""
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
users.create(
properties={
'cn': TEST_USER_NAME,
'sn': TEST_USER_NAME,
'userpassword': TEST_USER_PWD,
'mail': '*****@*****.**' % TEST_USER_NAME,
'uid': TEST_USER_NAME,
'uidNumber': '1000',
'gidNumber': '1000',
'homeDirectory': '/home/test'
})
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
def aci_with_attr_subtype(request, topology_m2):
"""Adds and deletes an ACI in the DEFAULT_SUFFIX"""
TARGET_ATTR = 'protectedOperation'
USER_ATTR = 'allowedToPerform'
SUBTYPE = request.param
suffix = Domain(topology_m2.ms["supplier1"], DEFAULT_SUFFIX)
log.info("========Executing test with '%s' subtype========" % SUBTYPE)
log.info(" Add a target attribute")
add_attr(topology_m2, TARGET_ATTR)
log.info(" Add a user attribute")
add_attr(topology_m2, USER_ATTR)
ACI_TARGET = '(targetattr=%s;%s)' % (TARGET_ATTR, SUBTYPE)
ACI_ALLOW = '(version 3.0; acl "test aci for subtypes"; allow (read) '
ACI_SUBJECT = 'userattr = "%s;%s#GROUPDN";)' % (USER_ATTR, SUBTYPE)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
log.info("Add an ACI with attribute subtype")
suffix.add('aci', ACI_BODY)
def fin():
log.info("Finally, delete an ACI with the '%s' subtype" %
SUBTYPE)
suffix.remove('aci', ACI_BODY)
request.addfinalizer(fin)
return ACI_BODY
def test_undefined_in_group_eval_three(topo, test_user, aci_of_user):
"""
This aci will allow access
:id: 04943dcc-7841-11e8-8c46-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
# test UNDEFINED in group
user.add("sn", "Fred")
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry'
user.remove("sn", "Fred")
def test_undefined_in_group_eval_sixteen(topo, test_user, aci_of_user):
"""
Test with parent keyword with not key
:id: 69852688-7841-11e8-8db1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)'
)
domain.add("description", DEEPUSER_GLOBAL)
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# Test with parent keyword with not key
user = UserAccount(conn, NEWCHILDSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("description", DEEPUSER_GLOBAL)
def aci_of_user(request, topo):
"""
:param request:
:param topo:
"""
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
aci_list = suffix.get_attr_vals('aci')
def finofaci():
"""
Removes and Restores ACIs after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
for i in aci_list:
domain.add("aci", i)
request.addfinalizer(finofaci)
def finofaci():
"""
Removes and Restores ACIs after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
for i in aci_list:
domain.add("aci", i)
def test_user(request, topo):
for demo in ['Product Development', 'Accounting', 'nestedgroup']:
OrganizationalUnit(topo.standalone, "ou={},{}".format(
demo, DEFAULT_SUFFIX)).create(properties={'ou': demo})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')
for demo1 in [
'DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL',
'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild'
]:
uas.create(
properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX,
'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')
for demo1 in ['c1', 'CHILD1_GLOBAL']:
uas.create(
properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=nestedgroup')
for i in [
('ALLGROUPS_GLOBAL', GROUPA_GLOBAL), ('GROUPA_GLOBAL', GROUPB_GLOBAL),
('GROUPB_GLOBAL', GROUPC_GLOBAL), ('GROUPC_GLOBAL', GROUPD_GLOBAL),
('GROUPD_GLOBAL', GROUPE_GLOBAL), ('GROUPE_GLOBAL', GROUPF_GLOBAL),
('GROUPF_GLOBAL', GROUPG_GLOBAL), ('GROUPG_GLOBAL', GROUPH_GLOBAL),
('GROUPH_GLOBAL', DEEPUSER_GLOBAL)
]:
grp.create(properties={
'cn': i[0],
'ou': 'groups',
'uniquemember': i[1]
})
def moddn_setup(topology_m2):
"""Creates
- a staging DIT
- a production DIT
- add accounts in staging DIT
- enable ACL logging (commented for performance reason)
"""
m1 = topology_m2.ms["supplier1"]
o_roles = OrganizationalRoles(m1, SUFFIX)
m1.log.info("\n\n######## INITIALIZATION ########\n")
# entry used to bind with
m1.log.info("Add {}".format(BIND_DN))
user = UserAccount(m1, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)
# Add anonymous read aci
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(m1, SUFFIX)
suffix.add('aci', ACI_BODY)
# DIT for staging
m1.log.info("Add {}".format(STAGING_DN))
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
# DIT for production
m1.log.info("Add {}".format(PRODUCTION_DN))
o_roles.create(properties={'cn': PRODUCTION_CN, 'description': "production DIT"})
# DIT for production/except
m1.log.info("Add {}".format(PROD_EXCEPT_DN))
o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN)
o_roles_prod.create(properties={'cn': EXCEPT_CN, 'description': "production except DIT"})
# enable acl error logging
# mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
# m1.modify_s(DN_CONFIG, mod)
# topology_m2.ms["supplier2"].modify_s(DN_CONFIG, mod)
# add dummy entries in the staging DIT
staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN))
user_props = TEST_USER_PROPERTIES.copy()
for cpt in range(MAX_ACCOUNTS):
name = "{}{}".format(NEW_ACCOUNT, cpt)
user_props.update({'sn': name, 'cn': name, 'uid': name})
staging_users.create(properties=user_props)
def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
"""
User can access the data when connecting from certain network only as per the ACI.
:id: 4ec38296-7ac5-11e8-9816-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Turn access log buffering off to make less time consuming
topo.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')
# Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
# Wait till Access Log is generated
topo.standalone.restart()
hostname = socket.gethostname()
IP = socket.gethostbyname(hostname)
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)'
)
# create a new connection for the test
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
org.replace("seeAlso", "cn=1")
# remove the aci
domain.ensure_removed(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci '
f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
f'(ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)')
# Now add aci with new ip
domain.add(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)'
)
# After changing the ip user cant access data
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def password_policy(topology_st):
"""Set global password policy"""
log.info('Enable global password policy. Check for syntax.')
topology_st.standalone.config.set('passwordCheckSyntax', 'on')
topology_st.standalone.config.set('nsslapd-pwpolicy-local', 'off')
topology_st.standalone.config.set('passwordMinCategories', '1')
# Add self user modification and anonymous aci
USER_SELF_MOD_ACI = '(targetattr="userpassword")(version 3.0; acl "pwp test"; allow (all) userdn="ldap:///self";)'
ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX)
suffix.add('aci', USER_SELF_MOD_ACI)
suffix.add('aci', ANON_ACI)
def add_anon_aci_access(topo, request):
# Add anonymous access aci
ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
def fin():
suffix.delete()
request.addfinalizer(fin)
def test_connection_from_an_unauthorized_network(topo, add_user, aci_of_user):
"""
User cannot access the data when connectin from an unauthorized network as per the ACI.
:id: 52d1ecce-7ac5-11e8-9ad9-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
old_hostname = socket.gethostname()
socket.sethostname('localhost')
hostname = socket.gethostname()
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "IP aci"; '
f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
f'and (ip != "127.0.0.1" and ip != "::1") ;)')
# create a new connection for the test
new_uri = topo.standalone.ldapuri.replace(old_hostname, hostname)
topo.standalone.ldapuri = new_uri
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
topo.standalone.config.set('nsslapd-errorlog-level', '128')
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
# Remove the ACI
domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
# Add new ACI
domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1") ;)')
time.sleep(1)
# now user can access data
org.replace("seeAlso", "cn=1")
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
def test_aci_invalid_syntax(topo, real_value):
"""
Try to set wrong ACI syntax.
:id: d544d09a-6ed1-11e8-8872-8c16451d917b
:setup: Standalone Instance
:steps:
1. Create ACI
2. Try to setup the ACI with Instance
:expectedresults:
1. It should pass
2. It should not pass
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
with pytest.raises(ldap.INVALID_SYNTAX):
domain.add("aci", real_value)
def test_group_aci_entry_exists(topo,create_user):
"""This test case adds the groupdn aci and check ger contains 'vadn'
:id: 1d73f715-e4b3-4ed6-a93b-9d529898ca78
:setup: Standalone instance
:steps:
1. Create a group.
2. Add the user as member into the group.
3. Apply the ACI which will give the group full rights.
4. Check entryLevelRights value for entries.
5. Check 'vadn' is in the entryLevelRights.
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
5. It should pass
"""
(test_user,request_ctrl) = create_user
log.info('Adding group {}'.format(TEST_GROUP_NAME))
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn=None)
group_properties = {
'cn': TEST_GROUP_NAME,
'description': 'testgroup'}
test_group = groups.create(properties=group_properties)
test_group.add_member(test_user.dn)
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
ACI_TARGET = '(targetattr="*")'
ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")'
ACI_ALLOW = '(version 3.0; acl "give group1 full rights"; allow (all) '
ACI_SUBJECT = 'groupdn = "ldap:///{}";)'.format(test_group.dn)
ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT
log.info("Add an ACI granting add access to a user matching the groupdn")
suffix.add('aci', ACI_BODY)
entries = topo.standalone.search_ext('{}'.format(test_user.dn),
ldap.SCOPE_SUBTREE,
"objectclass=person",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries)
for dn, attrs in rdata:
topo.standalone.log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topo.standalone.log.info("######## entryLevelRights: %r" % value)
assert b'vadn' in value
def test_aci_invalid_syntax_fail(topo, real_value):
"""
Try to set wrong ACI syntax.
:id: 83c40784-fff5-49c8-9535-7064c9c19e7e
:parametrized: yes
:setup: Standalone Instance
:steps:
1. Create ACI
2. Try to setup the ACI with Instance
:expectedresults:
1. It should pass
2. It should not pass
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
with pytest.raises(ldap.INVALID_SYNTAX):
domain.add("aci", real_value)
def test_aci_invalid_syntax(topo, real_value):
"""
Try to set wrong ACI syntax.
:id: e8bf20b6-48be-4574-8300-056e42a0f0a8
:parametrized: yes
:setup: Standalone Instance
:steps:
1. Create ACI
2. Try to setup the ACI with Instance
:expectedresults:
1. It should pass
2. It should not pass
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
with pytest.raises(ldap.INVALID_SYNTAX):
domain.add("aci", real_value)
def test_target_set_above_the_entry_test(topo):
"""
Try to set wrong ACI syntax.
:id: d544d09a-6ed1-11e8-8872-8c16451d917b
:setup: Standalone Instance
:steps:
1. Create ACI
2. Try to setup the ACI with Instance
:expectedresults:
1. It should pass
2. It should not pass
"""
domain = Domain(topo.standalone, "ou=People,{}".format(DEFAULT_SUFFIX))
with pytest.raises(ldap.INVALID_SYNTAX):
domain.add(
"aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
f'(targetattr=*)(version 3.0; acl "Name of the ACI"; deny absolute '
f'(all)userdn="ldap:///anyone";)')
def finofaci():
"""
Removes and Restores ACIs and other users after the test.
And restore nsslapd-ignore-virtual-attrs to default
"""
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.remove_all('aci')
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for i in managed_roles.list() + nested_roles.list() + users.list():
i.delete()
for i in aci_list:
domain.add("aci", i)
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
def test_group_aci_template_entry(topo,create_user):
"""This test case adds the groupdn aci and check ger contains 'vadn'
:id: 714c8649-36b6-4e28-a4c5-4b16ede4355f
:setup: Standalone instance
:steps:
1. Apply the ACI which will give the user full rights.
2. Check entryLevelRights value for a non-existing template entry.
3. Check 'vadn' is in the entryLevelRights of the non-existing template entry.
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
"""
(test_user, request_ctrl) = create_user
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
ACI_TARGET = '(targetattr="*")'
ACI_TARGET_FILTER = '(targetfilter ="(objectClass=person)")'
ACI_ALLOW = '(version 3.0; acl "allow all to target"; allow (all) '
ACI_SUBJECT = 'userdn = "ldap:///{}";)'.format(test_user.dn)
ACI_BODY = ACI_TARGET + ACI_TARGET_FILTER + ACI_ALLOW + ACI_SUBJECT
log.info("Add an ACI granting add access to a user matching the userdn")
suffix.add('aci', ACI_BODY)
entries = topo.standalone.search_ext(DEFAULT_SUFFIX,
ldap.SCOPE_SUBTREE,
"cn=sub_entry11", ["sn@person:cn", "member@groupofnames:cn"],
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(entries)
for dn, attrs in rdata:
if dn == 'cn=template_person_objectclass,dc=example,dc=com':
topo.standalone.log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topo.standalone.log.info("######## entryLevelRights: %r" % value)
assert b'vadn' in value
elif dn == 'cn=template_groupofnames_objectclass,dc=example,dc=com':
topo.standalone.log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topo.standalone.log.info("######## entryLevelRights: %r" % value)
assert b'vadn' not in value
else:
assert False
def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
"""
User cannot access the data when connectin from an unauthorized network as per the ACI.
:id:52d1ecce-7ac5-11e8-9ad9-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
ip_ip = topo.standalone.ds_access_log.match(
'.* connection from ')[0].split()[-1]
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci", f'(target = "ldap:///{IP_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "IP aci"; '
f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
f'and ip != "{ip_ip}" ;)')
# create a new connection for the test
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
# Remove the ACI
domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
# Add new ACI
domain.add(
'aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
# now user can access data
org.replace("seeAlso", "cn=1")
def test_timeofday_keyword(topo, add_user, aci_of_user):
"""
User NOWORKER_KEY can access the data as per the ACI after removing
ACI it cant.
:id: 681dd58e-7ac5-11e8-bed1-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
now = time.strftime("%c")
now_1 = "".join(now.split()[3].split(":"))[:4]
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
f'and timeofday = \'{now_1}\' ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
org.replace("seeAlso", "cn=1")
# Remove ACI
aci = domain.get_attr_vals_utf8('aci')[-1]
domain.ensure_removed('aci', aci)
assert aci not in domain.get_attr_vals_utf8('aci')
# after removing the ACI user cannot access the data
time.sleep(1)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def aci_of_user(request, topo):
# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
suffix.add('aci', ANON_ACI)
except ldap.TYPE_OR_VALUE_EXISTS:
pass
aci_list = suffix.get_attr_vals('aci')
def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
for i in aci_list:
domain.add("aci", i)
request.addfinalizer(finofaci)
def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.set('aci', None)
for i in aci_list:
domain.add("aci", i)
def test_managed_entry_removal(topo):
"""Check that we can't remove managed entry manually
:id: cf9c5be5-97ef-46fc-b199-8346acf4c296
:setup: Standalone Instance
:steps:
1. Enable the plugin
2. Restart the instance
3. Add our org units
4. Set up config entry and template entry for the org units
5. Add an entry that meets the MEP scope
6. Check if a managed group entry was created
7. Try to remove the entry while bound as Admin (non-DM)
8. Remove the entry while bound as DM
9. Check that the managing entry can be deleted too
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Should fail
8. Success
9. Success
"""
inst = topo.standalone
# Add ACI so we can test that non-DM user can't delete managed entry
domain = Domain(inst, DEFAULT_SUFFIX)
ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
ACI_TARGETATTR = "(targetattr = *)"
ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
domain.add('aci', ACI_BODY)
# stop the plugin, and start it
plugin = ManagedEntriesPlugin(inst)
plugin.disable()
plugin.enable()
# Add our org units
ous = OrganizationalUnits(inst, DEFAULT_SUFFIX)
ou_people = ous.create(properties={'ou': 'managed_people'})
ou_groups = ous.create(properties={'ou': 'managed_groups'})
mep_templates = MEPTemplates(inst, DEFAULT_SUFFIX)
mep_template1 = mep_templates.create(
properties={
'cn':
'MEP template',
'mepRDNAttr':
'cn',
'mepStaticAttr':
'objectclass: groupOfNames|objectclass: extensibleObject'.split(
'|'),
'mepMappedAttr':
'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
})
mep_configs = MEPConfigs(inst)
mep_configs.create(
properties={
'cn': 'config',
'originScope': ou_people.dn,
'originFilter': 'objectclass=posixAccount',
'managedBase': ou_groups.dn,
'managedTemplate': mep_template1.dn
})
inst.restart()
# Add an entry that meets the MEP scope
test_users_m1 = UserAccounts(inst,
DEFAULT_SUFFIX,
rdn='ou={}'.format(ou_people.rdn))
managing_entry = test_users_m1.create_test_user(1001)
managing_entry.reset_password(USER_PASSWORD)
user_bound_conn = managing_entry.bind(USER_PASSWORD)
# Get the managed entry
managed_groups = Groups(inst, ou_groups.dn, rdn=None)
managed_entry = managed_groups.get(managing_entry.rdn)
# Check that the managed entry was created
assert managed_entry.exists()
# Try to remove the entry while bound as Admin (non-DM)
managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
managed_entry_user_conn = managed_groups_user_conn.get(managed_entry.rdn)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
managed_entry_user_conn.delete()
assert managed_entry_user_conn.exists()
# Remove the entry while bound as DM
managed_entry.delete()
assert not managed_entry.exists()
# Check that the managing entry can be deleted too
managing_entry.delete()
assert not managing_entry.exists()
def test_managedrole(topo, request):
"""Test Managed Role
:id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search managed role entries
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Create Managed role entry
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
role = roles.create(properties={"cn": 'ROLE1'})
# Create user and Assign the role to the entry
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
uas.create(
properties={
'uid': 'Fail',
'cn': 'Fail',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Fail',
'nsRoleDN': role.dn,
'userPassword': PW_DM
})
# Create user and do not Assign any role to the entry
uas.create(
properties={
'uid': 'Success',
'cn': 'Success',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Success',
'userPassword': PW_DM
})
# Assert that Manage role entry is created and its searchable
assert ManagedRoles(topo.standalone, DEFAULT_SUFFIX).list()[0].dn \
== 'cn=ROLE1,dc=example,dc=com'
# Set an aci that will deny ROLE1 manage role
Domain(topo.standalone, DEFAULT_SUFFIX).\
add('aci', '(targetattr="*")(version 3.0; aci "role aci";'
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
# Add self user modification and anonymous aci
ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
# Crate a connection with cn=Fail which is member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access denied to ROLE1 members
assert not ManagedRoles(conn, DEFAULT_SUFFIX).list()
# Now create a connection with cn=Success which is not a member of ROLE1
conn = UserAccount(topo.standalone,
"uid=Success,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# Access allowed here
assert ManagedRoles(conn, DEFAULT_SUFFIX).list()
for i in uas.list():
i.delete()
for i in roles.list():
i.delete()
def fin():
topo.standalone.restart()
try:
role = ManagedRoles(topo.standalone, DEFAULT_SUFFIX).get('ROLE1')
role.delete()
except:
pass
topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
request.addfinalizer(fin)
def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup):
"""This test checks mode legacy : GER with moddn
:id: 37c1e537-1b5d-4fab-b62a-50cd8c5b3493
:setup: MMR with two suppliers,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Disable ACI checks - set nsslapd-moddn-aci: off
2. Add moddn ACI on M1
3. Search for GER controls on M1
4. Check entryLevelRights value for entries
5. Check 'n' is in the entryLevelRights
6. Try MOD with the both ACI
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
5. It should pass
6. It should pass
"""
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
topology_m2.ms["supplier1"].log.info("\n\n######## Disable the moddn aci mod ########\n")
_bind_manager(topology_m2)
topology_m2.ms["supplier1"].config.set(CONFIG_MODDN_ACI_ATTR, 'off')
topology_m2.ms["supplier1"].log.info("\n\n######## mode legacy : GER with moddn ########\n")
# being allowed to read/write the RDN attribute use to allow the RDN
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"uid\")" % (PRODUCTION_DN)
ACI_ALLOW = "(version 3.0; acl \"MODDN production changing the RDN attribute\"; allow (read,search,write)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
# successful MOD with the ACI
_bind_manager(topology_m2)
suffix.add('aci', ACI_BODY)
_bind_normal(topology_m2)
request_ctrl = GetEffectiveRightsControl(criticality=True, authzId=ensure_bytes("dn: " + BIND_DN))
msg_id = topology_m2.ms["supplier1"].search_ext(PRODUCTION_DN,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id)
# ger={}
value = ''
for dn, attrs in rdata:
topology_m2.ms["supplier1"].log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value)
assert b'n' in value
# successful MOD with the both ACI
_bind_manager(topology_m2)
suffix.remove('aci', ACI_BODY)
def test_info_disclosure(request, topo):
"""Test that a search returns 32 when base entry does not exist
:id: f6dec4c2-65a3-41e4-a4c0-146196863333
:setup: Standalone Instance
:steps:
1. Add aci
2. Add test user
3. Bind as user and search for non-existent entry
:expectedresults:
1. Success
2. Success
3. Error 32 is returned
"""
ACI_TARGET = "(targetattr = \"*\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Read/Search permission for all users\"; allow (read,search)"
ACI_SUBJECT = "(userdn=\"ldap:///all\");)"
ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
# Get current ACi's so we can restore them when we are done
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
preserved_acis = suffix.get_attr_vals_utf8('aci')
def finofaci():
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
try:
domain.remove_all('aci')
domain.replace_values('aci', preserved_acis)
except:
pass
request.addfinalizer(finofaci)
# Remove aci's
suffix.remove_all('aci')
# Add test user
USER_DN = "uid=test,ou=people," + DEFAULT_SUFFIX
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
users.create(
properties={
'uid': 'test',
'cn': 'test',
'sn': 'test',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/test',
'userPassword': PW_DM
})
# bind as user
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
# Search fo existing base DN
test = Domain(conn, DEFAULT_SUFFIX)
try:
test.get_attr_vals_utf8_l('dc')
assert False
except IndexError:
pass
# Search for a non existent bases
subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX)
try:
subtree.get_attr_vals_utf8_l('objectclass')
except IndexError:
pass
subtree = Domain(
conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX)
try:
subtree.get_attr_vals_utf8_l('objectclass')
except IndexError:
pass
# Try ONE level search instead of BASE
try:
Accounts(conn, "ou=does_not_exist," + DEFAULT_SUFFIX).filter(
"(objectclass=top)", scope=ldap.SCOPE_ONELEVEL)
except IndexError:
pass
# add aci
suffix.add('aci', ACI)
# Search for a non existent entry which should raise an exception
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
subtree = Domain(conn, "ou=does_not_exist," + DEFAULT_SUFFIX)
subtree.get_attr_vals_utf8_l('objectclass')
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
subtree = Domain(
conn, "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX)
subtree.get_attr_vals_utf8_l('objectclass')
with pytest.raises(ldap.NO_SUCH_OBJECT):
conn = UserAccount(topo.standalone, USER_DN).bind(PW_DM)
DN = "ou=also does not exist,ou=does_not_exist," + DEFAULT_SUFFIX
Accounts(conn, DN).filter("(objectclass=top)",
scope=ldap.SCOPE_ONELEVEL,
strict=True)
def password_policy(topology_st):
"""Set up password policy
Create a Password Admin entry;
Set up password policy attributes in config;
Add an aci to give everyone full access;
Test that the setup works
"""
log.info('test_pwdAdmin_init: Creating Password Administrator entries...')
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
# Add Password Admin 1
admin1_user = users.create(
properties={
'uid': 'admin1',
'cn': 'admin1',
'sn': 'strator',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/admin1',
'userPassword': ADMIN_PWD
})
# Add Password Admin 2
admin2_user = users.create(
properties={
'uid': 'admin2',
'cn': 'admin2',
'sn': 'strator',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/admin2',
'userPassword': ADMIN_PWD
})
# Add Password Admin Group
admin_group = groups.create(properties={'cn': 'password admin group'})
admin_group.add_member(admin1_user.dn)
admin_group.add_member(admin2_user.dn)
# Configure password policy
log.info('test_pwdAdmin_init: Configuring password policy...')
topology_st.standalone.config.replace_many(
('nsslapd-pwpolicy-local', 'on'), ('passwordCheckSyntax', 'on'),
('passwordMinCategories', '1'), ('passwordMinTokenLength', '2'),
('passwordExp', 'on'), ('passwordMinDigits', '1'),
('passwordMinSpecials', '1'))
#
# Add an aci to allow everyone all access (just makes things easier)
#
log.info('Add aci to allow password admin to add/update entries...')
domain = Domain(topology_st.standalone, DEFAULT_SUFFIX)
ACI_TARGET = "(target = \"ldap:///%s\")" % SUFFIX
ACI_TARGETATTR = "(targetattr = *)"
ACI_ALLOW = "(version 3.0; acl \"Password Admin Access\"; allow (all) "
ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
domain.add('aci', ACI_BODY)
#
# Bind as the future Password Admin
#
log.info(
'test_pwdAdmin_init: Bind as the Password Administrator (before activating)...'
)
admin_conn = admin1_user.bind(ADMIN_PWD)
#
# Setup our test entry, and test password policy is working
#
# Connect up an admin authed users connection.
admin_users = UserAccounts(admin_conn, DEFAULT_SUFFIX)
#
# Start by attempting to add an entry with an invalid password
#
log.info(
'test_pwdAdmin_init: Attempt to add entries with invalid passwords, these adds should fail...'
)
for passwd in INVALID_PWDS:
with pytest.raises(ldap.CONSTRAINT_VIOLATION):
admin_users.create(
properties={
'uid': 'example',
'cn': 'example',
'sn': 'example',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/example',
'userPassword': passwd
})
return (admin_group, admin1_user, admin2_user)
def test_aci_with_exclude_filter(topo, add_anon_aci_access):
"""Test an ACI(Access control instruction) which contains an extensible filter.
:id: 238da674-81d9-11eb-a965-98fa9ba19b65
:setup: Standalone instance
:steps:
1. Bind to a new Standalone instance
2. Generate text for the Access Control Instruction(ACI) and add to the standalone instance
-Create a test user 'admin' with a marker -> deniedattr = 'telephonenumber'
3. Create 2 top Organizational units (ou) under the same root suffix
4. Create 2 test users for each Organizational unit (ou) above with the same username 'admin'
5. Bind to the Standalone instance as the user 'admin' from the ou created in step 4 above
- Search for user(s) ' admin in the subtree that satisfy this criteria:
DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, cn_filter, [deniedattr, 'dn']
6. The search should return 2 entries with the username 'admin'
7. Verify that the users found do not have the --> deniedattr = 'telephonenumber' marker
:expectedresults:
1. Bind should be successful
2. Operation to create 2 Orgs (ou) should be successful
3. Operation to create 2 (admin*) users should be successful
4. Operation should be successful.
5. Operation should be successful
6. Should successfully return 2 users that match "admin*"
7. PASS - users found do not have the --> deniedattr = 'telephonenumber' marker
"""
log.info('Create an OU for them')
ous = OrganizationalUnit(topo.standalone, DEFAULT_SUFFIX)
log.info('Create an top org users')
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
log.info('Add aci which contains extensible filter.')
ouname = 'outest'
username = '******'
passwd = 'Password'
deniedattr = 'telephonenumber'
log.info('Add aci which contains extensible filter.')
aci_text = ('(targetattr = "{}")'.format(deniedattr) +
'(target = "ldap:///{}")'.format(DEFAULT_SUFFIX) +
'(version 3.0;acl "admin-tel-matching-rule-outest";deny (all)' +
'(userdn = "ldap:///{}??sub?(&(cn={})(ou:dn:={}))");)'.format(DEFAULT_SUFFIX, username, ouname))
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', aci_text)
log.info('Adding OU entries ...')
for idx in range(0, 2):
ou0 = 'OU%d' % idx
log.info('Adding "ou" : %s under "dn" : %s...' % (ou0, DEFAULT_SUFFIX))
add_ou_entry(topo, ou0, DEFAULT_SUFFIX)
parent = 'ou=%s,%s' % (ou0, DEFAULT_SUFFIX)
log.info('Adding %s under %s...' % (ouname, parent))
add_ou_entry(topo, ouname, parent)
user = UserAccounts(topo.standalone, parent, rdn=None)
for idx in range(0, 2):
parent = 'ou=%s,ou=OU%d,%s' % (ouname, idx, DEFAULT_SUFFIX)
user = UserAccounts(topo.standalone, parent, rdn=None)
username = '******'.format(username, idx)
log.info('Adding User: %s under %s...' % (username, parent))
user = add_user_entry(topo, user, username, passwd, parent)
log.info('Bind as user %s' % username)
binddn_user = user.get(username)
conn = binddn_user.bind(passwd)
if not conn:
log.error(" {} failed to authenticate: ".format(binddn_user))
assert False
cn_filter = '(cn=%s)' % username
entries = Accounts(conn, DEFAULT_SUFFIX).filter('(cn=admin*)')
log.info('Verify 2 Entries returned for cn {}'.format(cn_filter))
assert len(entries) == 2
for entry in entries:
assert not entry.get_attr_val_utf8('telephonenumber')
log.info("Verified the entries do not contain 'telephonenumber' ")
log.info('Test complete')
