From 24f8b6d93aaca127221432062ba276398c4859b2 Mon Sep 17 00:00:00 2001 From: Anuj Borah Date: Mar 25 2019 17:48:24 +0000 Subject: Issue:50112 - Port ACI test suit from TET to python3(misc and syntax) Port ACI test suit from TET to python3(misc and syntax) https://pagure.io/389-ds-base/issue/50112 Reviewed by: thierry bordaz, William Brown, Matus Honek, Ludwig Krispenz, Simon Pichugin --- diff --git a/dirsrvtests/tests/suites/acl/misc_test.py b/dirsrvtests/tests/suites/acl/misc_test.py new file mode 100644 index 0000000..8394c92 --- /dev/null +++ b/dirsrvtests/tests/suites/acl/misc_test.py @@ -0,0 +1,413 @@ +""" +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2019 RED Hat, Inc. +# All rights reserved. +# +# License: GPL (version 3 or any later version). +# See LICENSE for details. +# --- END COPYRIGHT BLOCK ---- +""" + +import os +import pytest + +from lib389._constants import DEFAULT_SUFFIX, PW_DM +from lib389.idm.user import UserAccount, UserAccounts +from lib389._mapped_object import DSLdapObject +from lib389.idm.account import Accounts, Anonymous +from lib389.idm.organizationalunit import OrganizationalUnit, OrganizationalUnits +from lib389.idm.group import Group, Groups +from lib389.topologies import topology_st as topo +from lib389.idm.domain import Domain +from lib389.plugins import ACLPlugin + +import ldap + + +PEOPLE = "ou=PEOPLE,{}".format(DEFAULT_SUFFIX) +DYNGROUP = "cn=DYNGROUP,{}".format(PEOPLE) +CONTAINER_1_DELADD = "ou=Product Development,{}".format(DEFAULT_SUFFIX) +CONTAINER_2_DELADD = "ou=Accounting,{}".format(DEFAULT_SUFFIX) + + +@pytest.fixture(scope="function") +def aci_of_user(request, topo): + """ + :param request: + :param topo: + """ + aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci') + + def finofaci(): + """ + Removes and Restores ACIs after the test. + """ + domain = Domain(topo.standalone, DEFAULT_SUFFIX) + domain.remove_all('aci') + for i in aci_list: + domain.add("aci", i) + + request.addfinalizer(finofaci) + + +@pytest.fixture(scope="function") +def clean(request, topo): + """ + :param request: + :param topo: + """ + ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX) + try: + for i in ['Product Development', 'Accounting']: + ous.create(properties={'ou': i}) + except ldap.ALREADY_EXISTS as eoor_eoor: + topo.standalone.log.info("Exception (expected): %s" % type(eoor_eoor).__name__) + + def fin(): + """ + Deletes entries after the test. + """ + for scope_scope in [CONTAINER_1_DELADD, CONTAINER_2_DELADD, PEOPLE]: + try: + DSLdapObject(topo.standalone, scope_scope).delete() + except ldap.ALREADY_EXISTS as eoor_eoor: + topo.standalone.log.info("Exception (expected): %s" % type(eoor_eoor).__name__) + + request.addfinalizer(fin) + + +def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user): + """ + Misc Test 2 accept aci in addition to acl + :id:8e9408fa-7db8-11e8-adaa-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=product development') + user = uas.create_test_user() + for i in [('mail', 'anujborah@okok.com'), ('givenname', 'Anuj'), ('userPassword', PW_DM)]: + user.set(i[0], i[1]) + + aci_target = "(targetattr=givenname)" + aci_allow = ('(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)') + aci_subject = 'userdn="ldap:///anyone";)' + Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject) + + conn = Anonymous(topo.standalone).bind() + # aci will block targetattr=givenname to anyone + user = UserAccount(conn, user.dn) + with pytest.raises(AssertionError): + assert user.get_attr_val_utf8('givenname') == 'Anuj' + # aci will allow targetattr=uid to anyone + assert user.get_attr_val_utf8('uid') == 'test_user_1000' + + for i in uas.list(): + i.delete() + + +@pytest.mark.bz334451 +def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user): + """ + bug 334451 : more then 40 acl will crash slapd + superseded by Bug 772778 - acl cache overflown problem with > 200 acis + :id:93a44c60-7db8-11e8-9439-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting') + user = uas.create_test_user() + + aci_target = '(target ="ldap:///{}")(targetattr !="userPassword")'.format(CONTAINER_1_DELADD) + # more_then_40_acl_will not crash_slapd + for i in range(40): + aci_allow = '(version 3.0;acl "ACI_{}";allow (read, search, compare)'.format(i) + aci_subject = 'userdn="ldap:///anyone";)' + aci_body = aci_target + aci_allow + aci_subject + Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_body) + conn = Anonymous(topo.standalone).bind() + assert UserAccount(conn, user.dn).get_attr_val_utf8('uid') == 'test_user_1000' + + for i in uas.list(): + i.delete() + +@pytest.mark.bz345643 +def test_search_access_should_not_include_read_access(topo, clean, aci_of_user): + """ + bug 345643 + Misc Test 4 search access should not include read access + :id:98ab173e-7db8-11e8-a309-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + assert Domain(topo.standalone, DEFAULT_SUFFIX).present('aci') + Domain(topo.standalone, DEFAULT_SUFFIX)\ + .add("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr !="userPassword")' + '(version 3.0;acl "anonymous access";allow (search)' + '(userdn = "ldap:///anyone");)', + f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; ' + 'acl "allow self write";allow(write) ' + 'userdn = "ldap:///self";)', + f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; ' + 'acl "Allow all admin group"; allow(all) groupdn = "ldap:///cn=Directory ' + 'Administrators, {}";)']) + + conn = Anonymous(topo.standalone).bind() + # search_access_should_not_include_read_access + suffix = Domain(conn, DEFAULT_SUFFIX) + with pytest.raises(AssertionError): + assert suffix.present('aci') + + +def test_only_allow_some_targetattr(topo, clean, aci_of_user): + """ + Misc Test 5 only allow some targetattr (1/2) + :id:9d27f048-7db8-11e8-a71c-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + + uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) + for i in range(1, 3): + user = uas.create_test_user(uid=i, gid=i) + user.replace_many(('cn', 'Anuj1'), ('mail', 'annandaBorah@anuj.com')) + + Domain(topo.standalone, DEFAULT_SUFFIX).\ + replace("aci", '(target="ldap:///{}")(targetattr="mail||objectClass")' + '(version 3.0; acl "Test";allow (read,search,compare) ' + '(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX)) + + conn = Anonymous(topo.standalone).bind() + accounts = Accounts(conn, DEFAULT_SUFFIX) + + # aci will allow only mail targetattr + assert len(accounts.filter('(mail=*)')) == 2 + # aci will allow only mail targetattr + assert not accounts.filter('(cn=*)') + # with root no , blockage + assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)')) == 2 + + for i in uas.list(): + i.delete() + + +def test_only_allow_some_targetattr_two(topo, clean, aci_of_user): + """ + Misc Test 6 only allow some targetattr (2/2)" + :id:a188239c-7db8-11e8-903e-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None) + for i in range(5): + user = uas.create_test_user(uid=i, gid=i) + user.replace_many(('mail', 'anujborah@anujborah.com'), + ('cn', 'Anuj'), ('userPassword', PW_DM)) + + user1 = uas.create_test_user() + user1.replace_many(('mail', 'anujborah@anujborah.com'), ('userPassword', PW_DM)) + + Domain(topo.standalone, DEFAULT_SUFFIX).\ + replace("aci", '(target="ldap:///{}") (targetattr="mail||objectClass")' + '(targetfilter="cn=Anuj") (version 3.0; acl "$tet_thistest"; ' + 'allow (compare,read,search) ' + '(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX)) + + conn = UserAccount(topo.standalone, user.dn).bind(PW_DM) + # aci will allow only mail targetattr but only for cn=Anuj + account = Accounts(conn, DEFAULT_SUFFIX) + assert len(account.filter('(mail=*)')) == 5 + assert not account.filter('(cn=*)') + + for i in account.filter('(mail=*)'): + assert i.get_attr_val_utf8('mail') == 'anujborah@anujborah.com' + + + conn = Anonymous(topo.standalone).bind() + # aci will allow only mail targetattr but only for cn=Anuj + account = Accounts(conn, DEFAULT_SUFFIX) + assert len(account.filter('(mail=*)')) == 5 + assert not account.filter('(cn=*)') + + for i in account.filter('(mail=*)'): + assert i.get_attr_val_utf8('mail') == 'anujborah@anujborah.com' + + # with root no blockage + assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(mail=*)')) == 6 + + for i in uas.list(): + i.delete() + + + +@pytest.mark.bz326000 +def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user): + """ + Non-regression test for BUG 326000: MemberURL needs to be normalized + :id:a5d172e6-7db8-11e8-aca7-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX)) + ou_ou.set('aci', '(targetattr= *)' + '(version 3.0; acl "tester"; allow(all) ' + 'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(DEFAULT_SUFFIX)) + + groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE') + groups.create(properties={"cn": "DYNGROUP", + "description": "DYNGROUP", + 'objectClass': 'groupOfURLS', + 'memberURL': "ldap:///ou=PEOPLE,{}??sub?" + "(uid=test_user_2)".format(DEFAULT_SUFFIX)}) + + uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX) + for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]: + user = uas.create_test_user(uid=demo1[0], gid=demo1[0]) + user.replace_many(('description', demo1[1]), ('userPassword', PW_DM)) + + ##with normal aci + conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM) + harry = UserAccount(conn, uas.list()[1].dn) + harry.add('sn', 'FRED') + + ##with abnomal aci + dygrp = Group(topo.standalone, DYNGROUP) + dygrp.remove('memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX)) + dygrp.add('memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX)) + harry.add('sn', 'Not FRED') + + for i in uas.list(): + i.delete() + +@pytest.mark.bz624370 +def test_greater_than_200_acls_can_be_created(topo, clean, aci_of_user): + """ + Misc 10, check that greater than 200 ACLs can be created. Bug 624370 + :id:ac020252-7db8-11e8-8652-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + # greater_than_200_acls_can_be_created + uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX) + for i in range(200): + user = uas.create_test_user(uid=i, gid=i) + user.set('aci', '(targetattr = "description")' + '(version 3.0;acl "foo{}"; allow (read, search, compare)' + '(userdn="ldap:///anyone");)'.format(i)) + + assert user.\ + get_attr_val_utf8('aci') == '(targetattr = "description")' \ + '(version 3.0;acl "foo{}"; allow ' \ + '(read, search, compare)' \ + '(userdn="ldap:///anyone");)'.format(i) + for i in uas.list(): + i.delete() + + +@pytest.mark.bz624453 +def test_server_bahaves_properly_with_very_long_attribute_names(topo, clean, aci_of_user): + """ + Make sure the server bahaves properly with very long attribute names. Bug 624453. + :id:b0d31942-7db8-11e8-a833-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) + users.create_test_user() + users.list()[0].set('userpassword', PW_DM) + + user = UserAccount(topo.standalone, 'uid=test_user_1000,ou=People,{}'.format(DEFAULT_SUFFIX)) + with pytest.raises(ldap.INVALID_SYNTAX): + user.add("aci", "a" * 9000) + + +def test_do_bind_as_201_distinct_users(topo, clean, aci_of_user): + """ + Do bind as 201 distinct users + Increase the nsslapd-aclpb-max-selected-acls in cn=ACL Plugin,cn=plugins,cn=config + Restart the server + Do bind as 201 distinct users + :id:c0060532-7db8-11e8-a124-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Add test entry + 2. Add ACI + 3. User should follow ACI role + :expectedresults: + 1. Entry should be added + 2. Operation should succeed + 3. Operation should succeed + """ + uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX) + for i in range(50): + user = uas.create_test_user(uid=i, gid=i) + user.set('userPassword', PW_DM) + + for i in range(len(uas.list())): + uas.list()[i].bind(PW_DM) + + ACLPlugin(topo.standalone).replace("nsslapd-aclpb-max-selected-acls", '220') + topo.standalone.restart() + + for i in range(len(uas.list())): + uas.list()[i].bind(PW_DM) + + +if __name__ == "__main__": + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s -v %s" % CURRENT_FILE) diff --git a/dirsrvtests/tests/suites/acl/syntax_test.py b/dirsrvtests/tests/suites/acl/syntax_test.py new file mode 100644 index 0000000..1f48f97 --- /dev/null +++ b/dirsrvtests/tests/suites/acl/syntax_test.py @@ -0,0 +1,258 @@ +""" +# --- BEGIN COPYRIGHT BLOCK --- +# Copyright (C) 2019 Red Hat, Inc. +# All rights reserved. +# +# License: GPL (version 3 or any later version). +# See LICENSE for details. +# --- END COPYRIGHT BLOCK ---- +""" + +import os +import pytest + +from lib389._constants import DEFAULT_SUFFIX +from lib389.idm.domain import Domain +from lib389.topologies import topology_st as topo + +import ldap + +INVALID = [('test_targattrfilters_1', + f'(targattrfilters ="add=title:title=fred),del=cn:(cn!=harry)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_2', + f'(targattrfilters ="add=:(title=fred),del=cn:(cn!=harry)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_3', + f'(targattrfilters ="add=:(title=fred),del=cn:(cn!=harry))' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_4', + f'(targattrfilters ="add=title:(title=fred),=cn:(cn!=harry")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_5', + f'(targattrfilters ="add=title:(|(title=fred)(cn=harry)),del=cn:(cn=harry)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_6', + f'(targattrfilters ="add=title:(|(title=fred)(title=harry)),del=cn:(title=harry)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_7', + f'(targattrfilters ="add=title:(cn=architect), ' + f'del=title:(title=architect) && l:(l=cn=Meylan,dc=example,dc=com")")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_8', + f'(targattrfilters ="add=title:(cn=architect)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_9', + f'(targattrfilters ="add=title:(cn=arch*)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_10', + f'(targattrfilters ="add=title:(cn >= 1)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_11', + f'(targattrfilters ="add=title:(cn <= 1)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_12', + f'(targattrfilters ="add=title:(cn ~= 1)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_13', + f'(targattrfilters ="add=title:(!(cn ~= 1))")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_14', + f'(targattrfilters ="add=title:(&(cn=fred)(cn ~= 1))")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_15', + f'(targattrfilters ="add=title:(|(cn=fred)(cn ~= 1))")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_16', + f'(targattrfilters ="add=title:(&(|(title=fred)(title=harry))(cn ~= 1))")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_17', + f'\(targattrfilters ="add=title:(&(|(&(title=harry)(title=fred))' + f'(title=harry))(title ~= 1))")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_19', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny(write)gropdn="ldap:///anyone";)'), + ('test_targattrfilters_21', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny(rite)userdn="ldap:///anyone";)'), + ('test_targattrfilters_22', + f'(targt = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_targattrfilters_23', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; absolute (all)userdn="ldap:///anyone";)'), + ('test_Missing_acl_mispel', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; alc "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_Missing_acl_string', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_Wrong_version_string', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 2.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_Missing_version_string', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_Authenticate_statement', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr != "uid")' + f'(targetattr=*)(version 3.0; acl "Name of the ACI"; deny absolute (all)' + f'userdn="ldap:///anyone";)'), + ('test_Multiple_targets', + f'(target = ldap:///ou=Product Development,{DEFAULT_SUFFIX})' + f'(target = ldap:///ou=Product Testing,{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_Target_set_to_self', + f'(target = ldap:///self)(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_target_set_with_ldap_instead_of_ldap', + f'(target = ldap:\\\{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_target_set_with_more_than_three', + f'(target = ldap:////{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_target_set_with_less_than_three', + f'(target = ldap://{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_bind_rule_set_with_less_than_three', + f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:/anyone";)'), + ('test_Use_semicolon_instead_of_comma_in_permission', + f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny ' + f'(read; search; compare; write)userdn="ldap:///anyone";)'), + ('test_Use_double_equal_instead_of_equal_in_the_target', + f'(target == ldap:///{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_use_double_equal_instead_of_equal_in_user_and_group_access', + f'(target = ldap:///{DEFAULT_SUFFIX})' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)' + f'userdn == "ldap:///anyone";)'), + ('test_donot_cote_the_name_of_the_aci', + f'(target = ldap:///{DEFAULT_SUFFIX})' + f'(version 3.0; acl Name of the ACI ; deny absolute (all)userdn = "ldap:///anyone";)'), + ('test_extra_parentheses_case_1', + f'( )(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone";)'), + ('test_extra_parentheses_case_2', + f'(((((target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)' + f'userdn == "ldap:///anyone";)'), + ('test_extra_parentheses_case_3', + f'(((target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute ' + f'(all)userdn = "ldap:///anyone";)))'), + ('test_no_semicolon_at_the_end_of_the_aci', + f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone")'), + ('test_a_character_different_of_a_semicolon_at_the_end_of_the_aci', + f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone"%)'), + ('test_bad_filter', + f'(target = ldap:///{DEFAULT_SUFFIX}) ' + f'(targetattr="cn |&| sn |(|) uid")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone";)'), + ('test_Use_double_equal_instead_of_equal_in_the_targattrfilters', + f'(target = ldap:///{DEFAULT_SUFFIX})(targattrfilters== "add=title:(title=architect)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_Use_double_equal_instead_of_equal_inside_the_targattrfilters', + f'(target = ldap:///{DEFAULT_SUFFIX})(targattrfilters="add==title:(title==architect)")' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),] + + +FAILED = [('test_targattrfilters_18', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny(write)userdn="ldap:///{"123" * 300}";)'), + ('test_targattrfilters_20', + f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})' + f'(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny(write)userdns="ldap:///anyone";)'), + ('test_bind_rule_set_with_more_than_three', + f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)' + f'userdn="ldap:////////anyone";)'), + ('test_Use_double_equal_instead_of_equal_in_the_targetattr', + f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr==*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'), + ('test_Use_double_equal_instead_of_equal_in_the_targetfilter', + f'(target = ldap:///{DEFAULT_SUFFIX})(targetfilter==*)' + f'(version 3.0; acl "Name of the ACI"; deny absolute ' + f'(all)userdn="ldap:///anyone";)'), ] + + +@pytest.mark.xfail(reason='https://bugzilla.redhat.com/show_bug.cgi?id=1691473') +@pytest.mark.parametrize("real_value", [a[1] for a in FAILED], + ids=[a[0] for a in FAILED]) +def test_aci_invalid_syntax_fail(topo, real_value): + """ + + Try to set wrong ACI syntax. + + :id: d544d09a-6ed1-11e8-8872-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Create ACI + 2. Try to setup the ACI with Instance + :expectedresults: + 1. It should pass + 2. It should not pass + """ + domain = Domain(topo.standalone, DEFAULT_SUFFIX) + with pytest.raises(ldap.INVALID_SYNTAX): + domain.add("aci", real_value) + + +@pytest.mark.parametrize("real_value", [a[1] for a in INVALID], + ids=[a[0] for a in INVALID]) +def test_aci_invalid_syntax(topo, real_value): + """ + + Try to set wrong ACI syntax. + + :id: d544d09a-6ed1-11e8-8872-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Create ACI + 2. Try to setup the ACI with Instance + :expectedresults: + 1. It should pass + 2. It should not pass + """ + domain = Domain(topo.standalone, DEFAULT_SUFFIX) + with pytest.raises(ldap.INVALID_SYNTAX): + domain.add("aci", real_value) + + +def test_target_set_above_the_entry_test(topo): + """ + Try to set wrong ACI syntax. + + :id: d544d09a-6ed1-11e8-8872-8c16451d917b + :setup: Standalone Instance + :steps: + 1. Create ACI + 2. Try to setup the ACI with Instance + :expectedresults: + 1. It should pass + 2. It should not pass + """ + domain = Domain(topo.standalone, "ou=People,{}".format(DEFAULT_SUFFIX)) + with pytest.raises(ldap.INVALID_SYNTAX): + domain.add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})' + f'(targetattr=*)(version 3.0; acl "Name of the ACI"; deny absolute ' + f'(all)userdn="ldap:///anyone";)') + + +if __name__ == "__main__": + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s -v %s" % CURRENT_FILE)