#50092 Issue 50091 - shadowWarning is not generated if passwordWarning is lower than 86400 seconds (1 day).
Closed 3 years ago by spichugi. Opened 5 years ago by bsmejkal.
bsmejkal/389-ds-base bz1589144  into  master

@@ -12,7 +12,7 @@ 

  from lib389.tasks import *

  from lib389.utils import *

  from lib389.topologies import topology_st

- 

+ from lib389.idm.user import UserAccounts

  from lib389._constants import (DEFAULT_SUFFIX, DN_CONFIG, PASSWORD, DN_DM,

                                 HOST_STANDALONE, PORT_STANDALONE, SERVERID_STANDALONE)

  from dateutil.parser import parse as dt_parse
@@ -20,7 +20,7 @@ 

  

  CONFIG_ATTR = 'passwordSendExpiringTime'

  USER_DN = 'uid=tuser,{}'.format(DEFAULT_SUFFIX)

- USER_PASSWD = b'secret123'

+ USER_PASSWD = 'secret123'

  

  logging.getLogger(__name__).setLevel(logging.INFO)

  log = logging.getLogger(__name__)
@@ -537,6 +537,55 @@ 

      topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

  

  

+ @pytest.mark.bz1589144

+ @pytest.mark.ds50091

+ def test_search_shadowWarning_when_passwordWarning_is_lower(topology_st, global_policy):

+     """Test if value shadowWarning is present with global password policy

+        when passwordWarning is set with lower value.

+ 

+     :id: c1e82de6-1aa3-42c3-844a-9720172158a3

+     :setup: Standalone Instance

+     :steps:

+         1. Bind as Directory Manager

+         2. Set global password policy

+         3. Add test user to instance.

+         4. Modify passwordWarning to have smaller value than 86400

+         5. Bind as the new user

+         6. Search for shadowWarning attribute

+         7. Rebind as Directory Manager

+     :expectedresults:

+         1. Binding should be successful

+         2. Setting password policy should be successful

+         3. Adding test user should be successful

+         4. Modifying passwordWarning should be successful

+         5. Binding should be successful

+         6. Attribute shadowWarning should be found

+         7. Binding should be successful

+     """

+ 

+     users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)

+ 

+     log.info("Bind as %s" % DN_DM)

+     assert topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

+ 

+     log.info("Creating test user")

+     testuser = users.create_test_user(1004)

+     testuser.add('objectclass', 'shadowAccount')

+     testuser.set('userPassword', USER_PASSWD)

+ 

+     log.info("Setting passwordWarning to smaller value than 86400")

+     assert topology_st.standalone.config.set('passwordWarning', '86399')

+ 

+     log.info("Bind as test user")

+     assert topology_st.standalone.simple_bind_s(testuser.dn, USER_PASSWD)

+ 

+     log.info("Check if attribute shadowWarning is present")

+     assert testuser.present('shadowWarning')

+ 

+     log.info("Rebinding as DM")

+     topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

+ 

+ 

  if __name__ == '__main__':

      # Run isolated

      # -s for DEBUG mode

Description:
Added test case to check if shadowWarning attribute is generated when passwordWarning is set to lower value than 84600 seconds.

https://pagure.io/389-ds-base/issue/50091

Reviewed by: ???

Please add @pytest.mark.bz1589144 and rename the test function to have human readable title.

rebased onto 7cb3b86f9f68d9cc09d6b4b3b32bcab57e5e074d

5 years ago

rebased onto 06e7480c14164612950b89532d32fd8ff7a30c7b

5 years ago

You can use UserAccounts DSLdapObject for the user creation. And it's actually recommended over legacy Entry object.
Check this - https://lib389.readthedocs.io/en/latest/user.html

Also, you can use users.create_test_user(uid=1004) for the generic user creation (in case when you don't need specific attributes)

Better to use 'search_s(USER4_DN, ldap.SCOPE_BASE, "(objectclass=*)"' here in stead of legacy getEntry() method. Or you can use UserAccount object and do the bind through it. The link I sent has the example

@spichugi
I have been rewriting the test to use UserAccounts but a user created this way ignores password policy for some reason.

Steps:
1) Set global password policy
2) Add user to instance:
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
testuser = users.create_test_user(uid=1004)
3) Set password for user: testuser.set('userPassword', USER_PW)
4) Modify passwordWarning to value 86400.
5) You said I should bind through the user (testuser.bind(USER_PW)) but what would be the correct way to check shadowWarning attribute?
Because if I use testuser.present('shadowWarning'), then it won't find anything whether I am bound to the testuser or not and shadowWarning attribute should be generated with these settings.

Could you please point me to the right direction how object UserAccounts works with password policy? Because using legacy Entry object worked correctly.
Also the documentation says that I should consider using nsUserAccounts object instead of UserAccounts.

@spichugi
I have been rewriting the test to use UserAccounts but a user created this way ignores password policy for some reason.
Steps:
1) Set global password policy
2) Add user to instance:
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
testuser = users.create_test_user(uid=1004)

Okay, I see. You have additional objectClass there - shadowAccount. You can add it to the user.

test_user.add("objectClass", "shadowAccount")

3) Set password for user: testuser.set('userPassword', USER_PW)
4) Modify passwordWarning to value 86400.
5) You said I should bind through the user (testuser.bind(USER_PW)) but what would be the correct way to check shadowWarning attribute?

I didn't say you should bind exactly like this. :)
If you will though, it will work like this:

conn = testuser.bind('password') # It will create a new connection
users = UserAccounts(conn, DEFAULT_SUFFIX)
test_user_bound = users.get(test_user.dn) # test_user is still bound as DM because topology_st.standalone is DM
test_user_bound.present()

Because if I use testuser.present('shadowWarning'), then it won't find anything whether I am bound to the testuser or not and shadowWarning attribute should be generated with these settings.

So I'd say it is okay to bind with topology_st.standalone.simple_bind_s(USER4_DN, USER_PW)
and then you can use testuser.present('shadowWarning')

Also the documentation says that I should consider using nsUserAccounts object instead of UserAccounts.

If your test case will be run only on DS 1.4.0 and above - you should use nsUserAccounts.
Otherwise, I think it is okay to use just UserAccounts.
The methods are the same any way.

And let's put the test case to 'dirsrvtests/tests/suites/password/pwdPolicy_warning_test.py' for example.
We plan to get rid of dirsrvtests/tests/tickets/ soon one day :)

rebased onto 1aba990a53ce8a208dff19b8b71d3dd7db089b1f

5 years ago

You only using this value twice, it may be clearer for the reader to just hardcode "shadowWarning" in these two locations (it tripped me up reading it ...)

rebased onto 3879a4a8cb7711ea76184129e4fea1d2be81b583

5 years ago

@firstyear
Thanks, I corrected the value.
I am used to assigning constant/variable if I use the value more than once to have clearer code but it might not be necessary this time.

Ack from me! @spichugi since I've been away for so long can I get you to sanity check this for me too?

rebased onto f03ea8e

5 years ago

Pull-Request has been merged by vashirov

5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3151

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

3 years ago
Metadata