def test_deleting_twice(topo_m2): """Deleting entry twice crashed a server :id: 94045560-a64c-11ea-93d6-8c16451d917b :setup: MMR with 2 masters :steps: 1. Adding entry 2. Deleting the same entry from s1 3. Deleting the same entry from s2 after some seconds :expected results: 1. Should succeeds 2. Should succeeds 3. Should succeeds """ m1 = topo_m2.ms["master1"] m2 = topo_m2.ms["master2"] # Adding entry user1 = UserAccounts(m1, DEFAULT_SUFFIX, rdn=None).create_test_user(uid=1, gid=1) repl_manager = ReplicationManager(DEFAULT_SUFFIX) repl_manager.wait_for_replication(m1, m2, timeout=100) user2 = UserAccount(m2, f'uid=test_user_1,{DEFAULT_SUFFIX}') assert user2.status() # Deleting the same entry from s1 user1.delete() repl_manager.wait_for_replication(m1, m2, timeout=100) # Deleting the same entry from s2 after some seconds with pytest.raises(ldap.NO_SUCH_OBJECT): user2.delete() assert m1.status() assert m2.status()
def test_deeply_nested_groups_aci_denial(topo, test_user, aci_of_user): """ Test deeply nested groups (1) This aci will not allow search or modify to a user too deep to be detected. :id: 3d98229c-7840-11e8-9f55-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. Add test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL)) conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM) # ALLGROUPS_GLOBAL have all access assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry' user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user): """ Test to Allow delete access to != userdn :id: 00637f6e-68e3-11e8-92a3-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI that allows userdn not to delete some userdn 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should not succeed 4. Delete operation for ACI should succeed """ # set aci aci_target = f'(targetattr="*")' aci_allow = f'(version 3.0; acl "All rights for %s"; allow (delete) ' % USER_DELADD aci_subject = f'userdn!="ldap:///{USER_WITH_ACI_DELADD}";)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject)) # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) # Perform delete operation user = UserAccount(conn, USER_DELADD) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def test_deny_group_member_all_rights_to_user(topo, aci_of_user, test_user): """ Try deleting user while no access :id: 0da68a4c-7840-11e8-98c2-8c16451d917b :setup: server :steps: 1. Add test entry 2. Take a count of users using DN_DM 3. delete test user 4. add aci 5. test should fullfil the aci rules :expectedresults: 1. Entry should be added 2. Operation should succeed 3. Operation should succeed 4. Operation should succeed 5. Operation should succeed """ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; deny (all) groupdn = "ldap:///{}" ;)'.format(BIG_GLOBAL)) conn = UserAccount(topo.standalone, "uid=Ted Morris, ou=Accounting, {}".format(DEFAULT_SUFFIX)).bind(PW_DM) # group BIG_GLOBAL will have no access user = UserAccount(conn, DEEPUSER3_GLOBAL) with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def fin(): for DN in [USER_DELADD, USER_WITH_ACI_DELADD, FRED, HARRY, KIRSTENVAUGHAN, HUMAN_OU_GLOBAL, CONTAINER_2_DELADD,CONTAINER_1_DELADD]: ua = UserAccount(topo.standalone, DN) try: ua.delete() except: pass
def test_csnpurge_large_valueset(topo_m2): """Test csn generator test :id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74 :setup: MMR with 2 masters :steps: 1. Create a test_user 2. add a large set of values (more than 10) 3. delete all the values (more than 10) 4. configure the replica to purge those values (purgedelay=5s) 5. Waiting for 6 second 6. do a series of update :expectedresults: 1. Should succeeds 2. Should succeeds 3. Should succeeds 4. Should succeeds 5. Should succeeds 6. Should not crash """ m1 = topo_m2.ms["master2"] test_user = UserAccount(m1, TEST_ENTRY_DN) if test_user.exists(): log.info('Deleting entry {}'.format(TEST_ENTRY_DN)) test_user.delete() test_user.create( properties={ 'uid': TEST_ENTRY_NAME, 'cn': TEST_ENTRY_NAME, 'sn': TEST_ENTRY_NAME, 'userPassword': TEST_ENTRY_NAME, 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/mmrepl_test', }) # create a large value set so that it is sorted for i in range(1, 20): test_user.add('description', 'value {}'.format(str(i))) # delete all values of the valueset for i in range(1, 20): test_user.remove('description', 'value {}'.format(str(i))) # set purging delay to 5 second and wait more that 5second replicas = Replicas(m1) replica = replicas.list()[0] log.info('nsds5ReplicaPurgeDelay to 5') replica.set('nsds5ReplicaPurgeDelay', '5') time.sleep(6) # add some new values to the valueset containing entries that should be purged for i in range(21, 25): test_user.add('description', 'value {}'.format(str(i)))
def fin(): log.info('Disabling Local accpolicy plugin and removing pwpolicy attrs') try: topology_st.standalone.plugins.disable(name=PLUGIN_ACCT_POLICY) for entry_dn in [LOCL_CONF, TEMPL_COS, DEFIN_COS]: entry = UserAccount(topology_st.standalone, dn=entry_dn) entry.delete() except ldap.LDAPError as e: log.error('Failed to disable Local accpolicy plugin, {}'.format(e.message['desc'])) assert False topology_st.standalone.restart(timeout=10)
def test_deletions_are_not_replicated(topo_m2): """usn + mmr = deletions are not replicated :id: aa4f67ce-a64c-11ea-a6fd-8c16451d917b :setup: MMR with 2 masters :steps: 1. Enable USN plugin on both servers 2. Enable USN plugin on Supplier 2 3. Add user 4. Check that user propagated to Supplier 2 5. Check user`s USN on Supplier 1 6. Check user`s USN on Supplier 2 7. Delete user 8. Check that deletion of user propagated to Supplier 1 :expected results: 1. Should succeeds 2. Should succeeds 3. Should succeeds 4. Should succeeds 5. Should succeeds 6. Should succeeds 7. Should succeeds 8. Should succeeds """ m1 = topo_m2.ms["master1"] m2 = topo_m2.ms["master2"] # Enable USN plugin on both servers usn1 = USNPlugin(m1) usn2 = USNPlugin(m2) for usn_usn in [usn1, usn2]: usn_usn.enable() for instance in [m1, m2]: instance.restart() # Add user user = UserAccounts(m1, DEFAULT_SUFFIX, rdn=None).create_test_user(uid=1, gid=1) repl_manager = ReplicationManager(DEFAULT_SUFFIX) repl_manager.wait_for_replication(m1, m2, timeout=100) # Check that user propagated to Supplier 2 assert user.dn in [ i.dn for i in UserAccounts(m2, DEFAULT_SUFFIX, rdn=None).list() ] user2 = UserAccount(m2, f'uid=test_user_1,{DEFAULT_SUFFIX}') # Check user`s USN on Supplier 1 assert user.get_attr_val_utf8('entryusn') # Check user`s USN on Supplier 2 assert user2.get_attr_val_utf8('entryusn') # Delete user user2.delete() repl_manager.wait_for_replication(m1, m2, timeout=100) # Check that deletion of user propagated to Supplier 1 with pytest.raises(ldap.NO_SUCH_OBJECT): user.status()
def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user): """Search Test 10 Deny all access with targetattr set :id: e1602ff2-6e11-11e8-8e55-8c16451d917b :setup: Standalone Instance :steps: 1. Add Entry 2. Add ACI 3. Bind with test USER_ANUJ 4. Try search 5. Delete Entry,test USER_ANUJ, ACI :expectedresults: 1. Operation should success 2. Operation should success 3. Operation should success 4. Operation should Fail 5. Operation should success """ testuser = UserAccount(topo.standalone, "cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX)) testuser.create( properties={ 'uid': 'Anuj12', 'cn': 'Anuj12', 'sn': 'user', 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/' + 'Anuj12' }) ACI_TARGET = '(targetattr="uid")' ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)' ACI_SUBJECT = 'userdn="ldap:///anyone";)' ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY) conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM) # aci will block only uid=* assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM) # aci will block only uid=* assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)')) # with root there is no aci blockage assert 4 == len( Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)')) testuser.delete()
def create_entry(topo_m4, request): """Add test entry to master1""" log.info('Adding entry {}'.format(TEST_ENTRY_DN)) test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN) if test_user.exists(): log.info('Deleting entry {}'.format(TEST_ENTRY_DN)) test_user.delete() test_user.create( properties={ 'uid': TEST_ENTRY_NAME, 'cn': TEST_ENTRY_NAME, 'sn': TEST_ENTRY_NAME, 'userPassword': TEST_ENTRY_NAME, 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/mmrepl_test', })
def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user): """ Test to Allow delete access to != dynamic group :id: 14ffa452-68ed-11e8-a60d-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI that delete access to != dynamic group 3. Delete something using test USER_DELADD 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should not succeed 4. Delete operation for ACI should succeed """ # Create dynamic group groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add("objectclass", "groupOfURLs") group.add( "memberURL", f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))' ) # Set ACI Domain(topo.standalone, DEFAULT_SUFFIX).\ add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})' f'(targetattr=*)(version 3.0; acl "$tet_thistest"; ' f'allow (delete) (groupdn != "ldap:///{group.dn}"); )') # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) user = UserAccount(conn, USER_DELADD) # Perform Allow delete access to != dynamic group with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def topology_st_f(topology_st): # Add our users to the topology_st users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) for i in range(0, 20): users.create(properties={ 'uid': 'user%s' % i, 'cn': 'user%s' % i, 'sn': '%s' % i, 'uidNumber': '%s' % i, 'gidNumber': '%s' % i, 'homeDirectory': '/home/user%s' % i }) demo_user = UserAccount(topology_st.standalone, "uid=demo_user,ou=people,dc=example,dc=com") demo_user.delete() # return it # print("ATTACH NOW") # import time # time.sleep(30) return topology_st.standalone
def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user): """ Test to Allow delete access to != groupdn :id: f58fc8b0-68e5-11e8-9313-8c16451d917b :setup: server :steps: 1. Add test entry 2. Add ACI that allows groupdn not to delete some userdn 3. Delete something using test USER_DELADD belong to test group 4. Remove ACI :expectedresults: 1. Entry should be added 2. ACI should be added 3. Operation should not succeed 4. Delete operation for ACI should succeed """ # Create group groups = Groups(topo.standalone, DEFAULT_SUFFIX) group = groups.create(properties={ "cn": "group1", "description": "testgroup" }) group.add_member(USER_WITH_ACI_DELADD) # set aci aci_target = f'(targetattr="*")' aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete)' aci_subject = f'groupdn!="ldap:///{group.dn}";)' Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject)) # create connection with USER_WITH_ACI_DELADD conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM) user = UserAccount(conn, USER_DELADD) # Perform delete operation with pytest.raises(ldap.INSUFFICIENT_ACCESS): user.delete()
def test_urp_trigger_substring_search(topo_m2): """Test that a ADD of a entry with a '*' in its DN, triggers an internal search with a escaped DN :id: 9869bb39-419f-42c3-a44b-c93eb0b77667 :setup: MMR with 2 masters :steps: 1. enable internal operation loggging for plugins 2. Create on M1 a test_user with a '*' in its DN 3. Check the test_user is replicated 4. Check in access logs that the internal search does not contain '*' :expectedresults: 1. Should succeeds 2. Should succeeds 3. Should succeeds 4. Should succeeds """ m1 = topo_m2.ms["master1"] m2 = topo_m2.ms["master2"] # Enable loggging of internal operation logging to capture URP intop log.info('Set nsslapd-plugin-logging to on') for inst in (m1, m2): inst.config.loglevel([AccessLog.DEFAULT, AccessLog.INTERNAL], service='access') inst.config.set('nsslapd-plugin-logging', 'on') inst.restart() # add a user with a DN containing '*' test_asterisk_uid = 'asterisk_*_in_value' test_asterisk_dn = 'uid={},{}'.format(test_asterisk_uid, DEFAULT_SUFFIX) test_user = UserAccount(m1, test_asterisk_dn) if test_user.exists(): log.info('Deleting entry {}'.format(test_asterisk_dn)) test_user.delete() test_user.create( properties={ 'uid': test_asterisk_uid, 'cn': test_asterisk_uid, 'sn': test_asterisk_uid, 'userPassword': test_asterisk_uid, 'uidNumber': '1000', 'gidNumber': '2000', 'homeDirectory': '/home/asterisk', }) # check that the ADD was replicated on M2 test_user_m2 = UserAccount(m2, test_asterisk_dn) for i in range(1, 5): if test_user_m2.exists(): break else: log.info('Entry not yet replicated on M2, wait a bit') time.sleep(2) # check that M2 access logs does not "(&(objectclass=nstombstone)(nscpentrydn=uid=asterisk_*_in_value,dc=example,dc=com))" log.info('Check that on M2, URP as not triggered such internal search') pattern = ".*\(Internal\).*SRCH.*\(&\(objectclass=nstombstone\)\(nscpentrydn=uid=asterisk_\*_in_value,dc=example,dc=com.*" found = m2.ds_access_log.match(pattern) log.info("found line: %s" % found) assert not found