#50176 Issue: 50112 - Port ACI test suit from TET to python3(Search)
Closed 3 years ago by spichugi. Opened 5 years ago by aborah.
aborah/389-ds-base search  into  master

@@ -0,0 +1,455 @@ 

+ # --- BEGIN COPYRIGHT BLOCK ---

+ # Copyright (C) 2019 Red Hat, Inc.

+ # All rights reserved.

+ #

+ # License: GPL (version 3 or any later version).

+ # See LICENSE for details.

+ # --- END COPYRIGHT BLOCK ----

+ 

+ import pytest, os, ldap

+ from lib389._constants import DEFAULT_SUFFIX, PW_DM, ErrorLog

+ from lib389.idm.user import UserAccount, UserAccounts

+ from lib389.idm.account import Accounts

+ from lib389.idm.organizationalunit import OrganizationalUnits

+ from lib389.topologies import topology_st as topo

+ from lib389.idm.domain import Domain

+ 

+ 

+ CONTAINER_1_DELADD = "ou=Product Development,{}".format(DEFAULT_SUFFIX)

+ CONTAINER_2_DELADD = "ou=Accounting,{}".format(DEFAULT_SUFFIX)

+ USER_ANUJ = "uid=Anuj Borah,{}".format(CONTAINER_1_DELADD)

+ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)

+ 

+ 

+ @pytest.fixture(scope="function")

+ def aci_of_user(request, topo):

+     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

+ 

+     def finofaci():

+         domain = Domain(topo.standalone, DEFAULT_SUFFIX)

+         domain.set('aci', None)

+         for i in aci_list:

+             domain.add("aci", i)

+ 

+     request.addfinalizer(finofaci)

+     

+ 

+ @pytest.fixture(scope="module")

+ def test_uer(request, topo):

+     topo.standalone.config.loglevel((ErrorLog.ACL_SUMMARY,))

+ 

+     ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)

+     for i in ['Product Development', 'Accounting']:

+         ous.create(properties={'ou': i})

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Product Development')

+     users.create(properties={

+         'uid': 'Anuj Borah',

+         'cn': 'Anuj Borah',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'AnujBorah',

+         'userPassword': PW_DM

+     })

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')

+     users.create(properties={

+         'uid': 'Ananda Borah',

+         'cn': 'Ananda Borah',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'AnandaBorah',

+         'userPassword': PW_DM

+     })

+ 

+ 

+ def test_deny_all_access_with__target_set_on_non_leaf(topo, test_uer, aci_of_user):

+     """Search Test 11 Deny all access with != target set on non-leaf

+     :id: f1c5d72a-6e11-11e8-aa9d-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target != ldap:///{})(targetattr=*)".format(CONTAINER_2_DELADD)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # After binding with USER_ANANDA , aci will limit the search to itself

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # After binding with USER_ANUJ , aci will limit the search to itself

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # After binding with root , the actual number of users will be given

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_all_access_with__target_set_on_wildcard_non_leaf(

+     topo, test_uer, aci_of_user

+ ):

+     """Search Test 12 Deny all access with != target set on wildcard non-leaf

+     :id: 02f34640-6e12-11e8-a382-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target != ldap:///ou=Product*,{})(targetattr=*)".format(

+         DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will limit the search to ou=Product it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will limit the search to ou=Product it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root , aci will give actual no of users , without any limit.

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_all_access_with__target_set_on_wildcard_leaf(

+     topo, test_uer, aci_of_user

+ ):

+     """Search Test 13 Deny all access with != target set on wildcard leaf

+     :id: 16c54d76-6e12-11e8-b5ba-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target != ldap:///uid=Anuj*, ou=*,{})(targetattr=*)".format(

+         DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will limit the search to cn=Jeff it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will limit the search to cn=Jeff it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_all_access_with_targetfilter_using_equality_search(

+     topo, test_uer, aci_of_user

+ ):

+     """Search Test 14 Deny all access with targetfilter using equality search

+     :id: 27255e04-6e12-11e8-8e35-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = '(targetfilter ="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(

+         DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block the search to cn=Jeff

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block the search to cn=Jeff

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))

+     # with root there is no blockage

+     assert 1 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=Anuj Borah)'))

+ 

+ 

+ def test_deny_all_access_with_targetfilter_using_equality_search_two(

+     topo, test_uer, aci_of_user

+ ):

+     """Test that Search Test 15 Deny all access with targetfilter using != equality search

+     :id: 3966bcd4-6e12-11e8-83ce-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = '(targetfilter !="(uid=Anuj Borah)")(target = ldap:///{})(targetattr=*)'.format(

+         DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will limit the search to cn=Jeff it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will limit the search to cn=Jeff it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_all_access_with_targetfilter_using_substring_search(

+     topo, test_uer, aci_of_user

+ ):

+     """Test that Search Test 16 Deny all access with targetfilter using substring search

+     :id: 44d7b4ba-6e12-11e8-b420-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = '(targetfilter ="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(

+         DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci block anything cn=j*

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anu*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci block anything cn=j*

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anu*)'))

+     # with root there is no blockage

+     assert 1 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Anu*)'))

+ 

+ 

+ def test_deny_all_access_with_targetfilter_using_substring_search_two(

+     topo, test_uer, aci_of_user

+ ):

+     """Test that Search Test 17 Deny all access with targetfilter using != substring search

+     :id: 55b12d98-6e12-11e8-8cf4-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = '(targetfilter !="(uid=Anu*)")(target = ldap:///{})(targetattr=*)'.format(

+         DEFAULT_SUFFIX

+     )

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci allow anything cn=j*, it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci allow anything cn=j*, it will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+     # with root there is no blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))

+ 

+ 

+ def test_deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search(

+     topo, test_uer, aci_of_user

+ ):

+     """Search Test 18 Deny all access with targetfilter using boolean OR of two equality search

+     :id: 29cc35fa-793f-11e8-988f-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr = "*")'

+     '(targetfilter = (|(cn=scarter)(cn=jvaughan)))(version 3.0; acl "$tet_thistest"; '

+     'deny absolute (all) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX))

+     UserAccount(topo.standalone, USER_ANANDA).set("cn", "scarter")

+     UserAccount(topo.standalone, USER_ANUJ).set("cn", "jvaughan")

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search

+     user = UserAccount(conn, USER_ANANDA)

+     with pytest.raises(IndexError):

+         user.get_attr_val_utf8('uid')

+     # aci will deny_all_access_with_targetfilter_using_boolean_or_of_two_equality_search

+     user = UserAccount(conn, USER_ANUJ)

+     with pytest.raises(IndexError):

+         user.get_attr_val_utf8('uid')

+     # with root no blockage

+     assert UserAccount(topo.standalone, USER_ANANDA).get_attr_val_utf8('uid') == 'Ananda Borah'

+     # with root no blockage

+     assert UserAccount(topo.standalone, USER_ANUJ).get_attr_val_utf8('uid') == 'Anuj Borah'

+ 

+ 

+ def test_deny_all_access_to__userdn_two(topo, test_uer, aci_of_user):

+     """Search Test 19 Deny all access to != userdn

+     :id: 693496c0-6e12-11e8-80dc-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn!="ldap:///{}";)'.format(USER_ANANDA)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will not block anything for USER_ANANDA , it block other users

+     assert  2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will not block anything for USER_ANANDA , it block other users

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root thers is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_all_access_with_userdn(topo, test_uer, aci_of_user):

+     """

+     Search Test 20 Deny all access with userdn

+     :id: 75aada86-6e12-11e8-bd34-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///{}";)'.format(USER_ANANDA)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block anything for USER_ANANDA , it not block other users

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block anything for USER_ANANDA , it not block other users

+     assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root thers is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_all_access_with_targetfilter_using_presence_search(

+     topo, test_uer, aci_of_user

+ ):

+     """

+     Search Test 21 Deny all access with targetfilter using presence search

+     :id: 85244a42-6e12-11e8-9480-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     user = UserAccounts(topo.standalone,  DEFAULT_SUFFIX).create_test_user()

+     user.set('userPassword', PW_DM)

+ 

+     ACI_TARGET = '(targetfilter ="(cn=*)")(target = ldap:///{})(targetattr=*)'.format(

+         DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will eny_all_access_with_targetfilter_using_presence_search

+     user = UserAccount(conn, 'uid=test_user_1000,ou=People,{}'.format(DEFAULT_SUFFIX))

+     with pytest.raises(IndexError):

+         user.get_attr_val_utf8('cn')

+     # with root no blockage

+     assert UserAccount(topo.standalone, 'uid=test_user_1000,ou=People,{}'.format(DEFAULT_SUFFIX)).get_attr_val_utf8('cn') == 'test_user_1000'

+ 

+ 

+ if __name__ == "__main__":

+     CURRENT_FILE = os.path.realpath(__file__)

+     pytest.main("-s -v %s" % CURRENT_FILE) 

\ No newline at end of file

@@ -0,0 +1,468 @@ 

+ # --- BEGIN COPYRIGHT BLOCK ---

+ # Copyright (C) 2019 Red Hat, Inc.

+ # All rights reserved.

+ #

+ # License: GPL (version 3 or any later version).

+ # See LICENSE for details.

+ # --- END COPYRIGHT BLOCK ----

+ 

+ import pytest, os, ldap

+ from lib389._constants import DEFAULT_SUFFIX, PW_DM, ErrorLog

+ from lib389.idm.user import UserAccount, UserAccounts

+ from lib389.idm.organization import Organization

+ from lib389.idm.account import Accounts, Anonymous

+ from lib389.idm.group import Group, UniqueGroup

+ from lib389.idm.organizationalunit import OrganizationalUnit

+ from lib389.idm.group import Groups

+ from lib389.topologies import topology_st as topo

+ from lib389.idm.domain import Domain

+ 

+ 

+ CONTAINER_1_DELADD = "ou=Product Development,{}".format(DEFAULT_SUFFIX)

+ CONTAINER_2_DELADD = "ou=Accounting,{}".format(DEFAULT_SUFFIX)

+ USER_ANUJ = "uid=Anuj Borah,{}".format(CONTAINER_1_DELADD)

+ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)

+ 

+ 

+ @pytest.fixture(scope="function")

+ def aci_of_user(request, topo):

+     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

+ 

+     def finofaci():

+         domain = Domain(topo.standalone, DEFAULT_SUFFIX)

+         domain.set('aci', None)

+         for i in aci_list:

+             domain.add("aci", i)

+ 

+     request.addfinalizer(finofaci)

+     

+ 

+ @pytest.fixture(scope="module")

+ def test_uer(request, topo):

+     topo.standalone.config.loglevel((ErrorLog.ACL_SUMMARY,))

+ 

+     for i in ['Product Development', 'Accounting']:

+         OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)).create(properties={'ou': i})

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Product Development')

+     users.create(properties={

+         'uid': 'Anuj Borah',

+         'cn': 'Anuj Borah',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'AnujBorah',

+         'userPassword': PW_DM

+     })

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')

+     users.create(properties={

+         'uid': 'Ananda Borah',

+         'cn': 'Ananda Borah',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'AnandaBorah',

+         'userPassword': PW_DM

+     })

+ 

+ 

+ def test_deny_search_access_to_userdn_with_ldap_url(topo, test_uer, aci_of_user):

+     """

+     Search Test 23 Deny search access to userdn with LDAP URL

+     :id: 94f082d8-6e12-11e8-be72-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'

+     ACI_SUBJECT = (

+         'userdn="ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)

+     )

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445')

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block all users having roomnumber=3445

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block roomnumber=3445 for all users USER_ANUJ does not have roomnumber

+     assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')

+ 

+ 

+ def test_deny_search_access_to_userdn_with_ldap_url_two(topo, test_uer, aci_of_user):

+     """

+     Search Test 24 Deny search access to != userdn with LDAP URL

+     :id: a1ee05d2-6e12-11e8-8260-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'

+     ACI_SUBJECT = (

+         'userdn != "ldap:///%s";)' % "{}??sub?(&(roomnumber=3445))".format(DEFAULT_SUFFIX)

+     )

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     UserAccount(topo.standalone, USER_ANANDA).set('roomnumber', '3445')

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will not block all users having roomnumber=3445 , it will block others

+     assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will not block all users having roomnumber=3445 , it will block others

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     UserAccount(topo.standalone, USER_ANANDA).remove('roomnumber', '3445')

+ 

+ 

+ def test_deny_search_access_to_userdn_with_ldap_url_matching_all_users(

+     topo, test_uer, aci_of_user

+ ):

+     """

+     Search Test 25 Deny search access to userdn with LDAP URL matching all users

+     :id: b37f72ae-6e12-11e8-9c98-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny (search)'

+     ACI_SUBJECT = 'userdn = "ldap:///%s";)' % "{}??sub?(&(cn=*))".format(DEFAULT_SUFFIX)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will  block all users LDAP URL matching all users

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will  block all users LDAP URL matching all users

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_read_access_to_a_dynamic_group(topo, test_uer, aci_of_user):

+     """

+     Search Test 26 Deny read access to a dynamic group

+     :id: c0c5290e-6e12-11e8-a900-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group_properties = {"cn": "group1", "description": "testgroup"}

+     group = groups.create(properties=group_properties)

+     group.add('objectClass', 'groupOfURLS')

+     group.set('memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX))

+     group.add_member(USER_ANANDA)

+ 

+     ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown"

+     ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(DEFAULT_SUFFIX)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block all 'memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX)

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # USER_ANUJ is not a member

+     assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     group.delete()

+ 

+ 

+ def test_deny_read_access_to_dynamic_group_with_host_port_set_on_ldap_url(

+     topo, test_uer, aci_of_user

+ ):

+     """

+     Search Test 27 Deny read access to dynamic group with host:port set on LDAP URL

+     :id: ceb62158-6e12-11e8-8c36-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"

+                                       })

+     group.add('objectClass', 'groupOfURLS')

+     group.set('memberURL', "ldap:///localhost:38901/{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX))

+     group.add_member(USER_ANANDA)

+ 

+     ACI_TARGET = '(target = ldap:///{})(targetattr = "*")'.format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read)' % "Unknown"

+     ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(DEFAULT_SUFFIX)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block 'memberURL', "ldap:///localhost:38901/dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+     group.delete()

+ 

+ 

+ def test_deny_read_access_to_dynamic_group_with_scope_set_to_one_in_ldap_url(

+     topo, test_uer, aci_of_user

+ ):

+     """

+     Search Test 28 Deny read access to dynamic group with scope set to "one" in LDAP URL

+     :id: ddb30432-6e12-11e8-94db-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"

+                                       })

+     group.add('objectClass', 'groupOfURLS')

+     group.set('memberURL', "ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX))

+     group.add_member(USER_ANANDA)

+ 

+     ACI_TARGET = '(targetattr = "*")'

+     ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read) ' % "Unknown"

+     ACI_SUBJECT = 'groupdn != "ldap:///cn=group1,ou=Groups,{}";)'.format(DEFAULT_SUFFIX)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"

+     assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     group.delete()

+ 

+ 

+ def test_deny_read_access_to_dynamic_group_two(topo, test_uer, aci_of_user):

+     """

+     Search Test 29 Deny read access to != dynamic group

+     :id: eae2a6c6-6e12-11e8-80f3-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group_properties = {"cn": "group1",

+                         "description": "testgroup"

+                         }

+     group = groups.create(properties=group_properties)

+     group.add('objectClass', 'groupofuniquenames')

+     group.set('uniquemember', [USER_ANANDA,USER_ANUJ])

+ 

+     ACI_TARGET = '(targetattr = "*")'

+     ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read) ' % "Unknown"

+     ACI_SUBJECT = 'groupdn = "ldap:///cn=group1,ou=Groups,{}";)'.format(DEFAULT_SUFFIX)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";)

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block groupdn = "ldap:///cn=group1,ou=Groups,dc=example,dc=com";)

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+     group.delete()

+ 

+ 

+ def test_deny_access_to_group_should_deny_access_to_all_uniquemember(

+     topo, test_uer, aci_of_user

+ ):

+     """

+     Search Test 38 Deny access to group should deny access to all uniquemember (including chain group)

+     :id: 56b470e4-7941-11e8-912b-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+ 

+     grp = UniqueGroup(topo.standalone, 'cn=Nested Group 1,' + DEFAULT_SUFFIX)

+     grp.create(properties={

+         'cn': 'Nested Group 1',

+         'ou': 'groups',

+         'uniquemember': "cn=Nested Group 2, {}".format(DEFAULT_SUFFIX)

+     })

+ 

+     grp = UniqueGroup(topo.standalone, 'cn=Nested Group 2,' + DEFAULT_SUFFIX)

+     grp.create(properties={

+         'cn': 'Nested Group 2',

+         'ou': 'groups',

+         'uniquemember': "cn=Nested Group 3, {}".format(DEFAULT_SUFFIX)

+     })

+ 

+     grp = UniqueGroup(topo.standalone, 'cn=Nested Group 3,' + DEFAULT_SUFFIX)

+     grp.create(properties={

+         'cn': 'Nested Group 3',

+         'ou': 'groups',

+         'uniquemember': [USER_ANANDA, USER_ANUJ]

+     })

+ 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target = ldap:///{})(targetattr=*)'

+     '(version 3.0; acl "$tet_thistest"; deny(read)(groupdn = "ldap:///cn=Nested Group 1, {}"); )'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX))

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # deny_access_to_group_should_deny_access_to_all_uniquemember

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # deny_access_to_group_should_deny_access_to_all_uniquemember

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_entry_with_lots_100_attributes(topo, test_uer, aci_of_user):

+     """

+     Search Test 39 entry with lots (>100) attributes

+     :id: fc155f74-6e12-11e8-96ac-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Bind with test USER_ANUJ

+         3. Try search

+         4. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         3. Operation should success

+         4. Operation should success

+         5. Operation should success

+     """

+     for i in range(100):

+         user = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=People').create_test_user(uid=i)

+         user.set("userPassword", "password")

+ 

+     conn = UserAccount(topo.standalone, "uid=test_user_1,ou=People,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)

+     # no aci no blockage

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj*)'))

+     # no aci no blockage

+     assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+     conn = Anonymous(topo.standalone).bind()

+     # anonymous_search_on_monitor_entry

+     assert 102 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+ 

+ 

+ @pytest.mark.bz301798

+ def test_groupdnattr_value_is_another_group(topo):

+     """

+     Search Test 42 groupdnattr value is another group test #1

+     :id: 52299e16-7944-11e8-b471-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI

+         3. USER_ANUJ should follow ACI role

+     :expectedresults:

+         1. Entry should be added

+         2. Operation should  succeed

+         3. Operation should  succeed

+     """

+     Organization(topo.standalone).create(properties={"o": "nscpRoot"}, basedn=DEFAULT_SUFFIX)

+ 

+     user = UserAccount(topo.standalone, "cn=dchan,o=nscpRoot,{}".format(DEFAULT_SUFFIX))

+     user.create(properties={

+         'uid': 'dchan',

+         'cn': 'dchan',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'dchan',

+         'userPassword': PW_DM

+     })

+ 

+     grp = UniqueGroup(topo.standalone, 'cn=groupx,o=nscpRoot,' + DEFAULT_SUFFIX)

+     grp.create(properties={

+         'cn': 'groupx',

+         'ou': 'groups',

+     })

+     grp.set('uniquemember', 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX))

+     grp.set('aci', '(targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare) groupdnattr="ldap:///o=nscpRoot?uniquemember?sub";)')

+ 

+     conn = UserAccount(topo.standalone, 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX),).bind(PW_DM)

+     # acil will allow ldap:///o=nscpRoot?uniquemember?sub"

+     assert UserAccount(conn, 'cn=groupx,o=nscpRoot,{}'.format(DEFAULT_SUFFIX)).get_attr_val_utf8('cn') == 'groupx'

+ 

+ 

+ if __name__ == "__main__":

+     CURRENT_FILE = os.path.realpath(__file__)

+     pytest.main("-s -v %s" % CURRENT_FILE) 

\ No newline at end of file

@@ -0,0 +1,409 @@ 

+ # --- BEGIN COPYRIGHT BLOCK ---

+ # Copyright (C) 2019 Red Hat, Inc.

+ # All rights reserved.

+ #

+ # License: GPL (version 3 or any later version).

+ # See LICENSE for details.

+ # --- END COPYRIGHT BLOCK ----

+ 

+ import pytest, os, ldap

+ from lib389._constants import DEFAULT_SUFFIX, PW_DM, ErrorLog

+ from lib389.idm.user import UserAccount, UserAccounts

+ from lib389.idm.account import Accounts

+ from lib389.idm.organizationalunit import OrganizationalUnit

+ from lib389.idm.group import Groups

+ from lib389.topologies import topology_st as topo

+ from lib389.idm.domain import Domain

+ from lib389.idm.posixgroup import PosixGroups

+ 

+ 

+ CONTAINER_1_DELADD = "ou=Product Development,{}".format(DEFAULT_SUFFIX)

+ CONTAINER_2_DELADD = "ou=Accounting,{}".format(DEFAULT_SUFFIX)

+ USER_ANUJ = "uid=Anuj Borah,{}".format(CONTAINER_1_DELADD)

+ USER_ANANDA = "uid=Ananda Borah,{}".format(CONTAINER_2_DELADD)

+ 

+ 

+ @pytest.fixture(scope="function")

+ def aci_of_user(request, topo):

+     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

+ 

+     def finofaci():

+         domain = Domain(topo.standalone, DEFAULT_SUFFIX)

+         domain.set('aci', None)

+         for i in aci_list:

+             domain.add("aci", i)

+ 

+     request.addfinalizer(finofaci)

+ 

+ 

+ @pytest.fixture(scope="module")

+ def test_uer(request, topo):

+     topo.standalone.config.loglevel((ErrorLog.ACL_SUMMARY,))

+ 

+     for i in ['Product Development', 'Accounting']:

+         OrganizationalUnit(topo.standalone, "ou={},{}".format(i, DEFAULT_SUFFIX)).create(properties={'ou': i})

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Product Development')

+     users.create(properties={

+         'uid': 'Anuj Borah',

+         'cn': 'Anuj Borah',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'AnujBorah',

+         'userPassword': PW_DM

+     })

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')

+     users.create(properties={

+         'uid': 'Ananda Borah',

+         'cn': 'Ananda Borah',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'AnandaBorah',

+         'userPassword': PW_DM

+     })

+ 

+ 

+ def test_deny_all_access_with_target_set(topo, test_uer, aci_of_user):

+     """Test that Deny all access with target set

+     :id: 0550e680-6e0e-11e8-82f4-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(USER_ANANDA)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block all for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block all for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))

+     # with root there is no aci blockage

+     assert 1 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))

+ 

+ 

+ def test_deny_all_access_to_a_target_with_wild_card(topo, test_uer, aci_of_user):

+     """Search Test 2 Deny all access to a target with wild card

+     :id: 1c370f98-6e11-11e8-9f10-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///uid=Ananda*, ou=*,{})(targetattr=*)".format(

+         DEFAULT_SUFFIX

+     )

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block (cn=Sam*) for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block (cn=Sam*) for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))

+     # with root there is no aci blockage

+     assert 1 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Ananda*)'))

+ 

+ 

+ def test_deny_all_access_without_a_target_set(topo, test_uer, aci_of_user):

+     """Search Test 3 Deny all access without a target set

+     :id: 2dbeb36a-6e11-11e8-ab9f-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(targetattr=*)"

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block all for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block all for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))

+     # with root there is no aci blockage

+     assert 1 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(ou=Accounting)'))

+ 

+ 

+ def test_deny_read_search_and_compare_access_with_target_and_targetattr_set(

+     topo, test_uer, aci_of_user

+ ):

+     """Search Test 4 Deny read, search and compare access with target and targetattr set

+     :id: 3f4a87e4-6e11-11e8-a09f-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(CONTAINER_2_DELADD)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block all for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block all for all usrs

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(ou=Accounting)'))

+     # with root there is no aci blockage

+     assert 1 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(ou=Accounting)'))

+ 

+ 

+ def test_deny_read_access_to_multiple_groupdns(topo, test_uer, aci_of_user):

+     """Search Test 6 Deny read access to multiple groupdn's

+     :id: 8f3ba440-6e11-11e8-8b20-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"

+                                       })

+     group.add_member(USER_ANANDA)

+ 

+     posix_groups = PosixGroups(topo.standalone, DEFAULT_SUFFIX)

+     posix_group = posix_groups.create(properties={

+         "cn": "group2",

+         "description": "testgroup2",

+         "gidNumber": "2000",

+     })

+     posix_group.add_member(USER_ANUJ)

+ 

+     ACI_TARGET = '(targetattr="*")'

+     ACI_ALLOW = '(version 3.0; acl "All rights for cn=group1,ou=Groups,{}"; deny(read)'.format(DEFAULT_SUFFIX)

+     ACI_SUBJECT = 'groupdn="ldap:///cn=group1,ou=Groups,{}||ldap:///cn=group2,ou=Groups,{}";)'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX)

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block 'groupdn="ldap:///cn=group1,ou=Groups,dc=example,dc=com||ldap:///cn=group2,ou=Groups,dc=example,dc=com";)

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+     group = groups.get("group1")

+     group.delete()

+     posix_groups.get("group2")

+     posix_group.delete()

+ 

+ 

+ def test_deny_all_access_to_userdnattr(topo, test_uer, aci_of_user):

+     """Search Test 7 Deny all access to userdnattr"

+     :id: ae482494-6e11-11e8-ae33-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     UserAccount(topo.standalone, USER_ANUJ).add('manager', USER_ANANDA)

+     ACI_TARGET = "(target = ldap:///{})(targetattr=*)".format(DEFAULT_SUFFIX)

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdnattr="manager";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block only 'userdnattr="manager"

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block only 'userdnattr="manager"

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))

+     # with root there is no aci blockage

+     assert 1 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=Anuj Borah)'))

+     UserAccount(topo.standalone, USER_ANUJ).remove('manager', USER_ANANDA)

+ 

+ 

+ def test_deny_all_access_with__target_set(topo, test_uer, aci_of_user):

+     """Search Test 8 Deny all access with != target set

+     :id: bc00aed0-6e11-11e8-be66-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target != "ldap:///{}")(targetattr = "*")'

+     '(version 3.0; acl "$tet_thistest"; deny absolute (all) (userdn = "ldap:///anyone") ;)'.format(USER_ANANDA))

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will not block USER_ANANDA will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will not block USER_ANANDA will block others

+     assert 1 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 2 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+ 

+ 

+ def test_deny_all_access_with__targetattr_set(topo, test_uer, aci_of_user):

+     """Search Test 9 Deny all access with != targetattr set

+     :id: d2d73b2e-6e11-11e8-ad3d-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     testusers = UserAccounts(topo.standalone, DEFAULT_SUFFIX)

+     user = testusers.create(properties={

+         'uid': 'Anuj',

+         'cn': 'Anuj',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'Anuj',

+         'userPassword': PW_DM

+     })

+ 

+     ACI_TARGET = "(targetattr != uid||Objectclass)"

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will allow only uid=*

+     assert 3 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+     # aci will allow only uid=*

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will allow only uid=*

+     assert 3 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+     # aci will allow only uid=*

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))

+     # with root there is no aci blockage

+     assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))

+     # with root there is no aci blockage

+     assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(cn=*)'))

+     user.delete()

+ 

+ 

+ def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user):

+     """Search Test 10 Deny all access with targetattr set

+     :id: e1602ff2-6e11-11e8-8e55-8c16451d917b

+     :setup: Standalone Instance

+     :steps:

+         1. Add Entry

+         2. Add ACI

+         3. Bind with test USER_ANUJ

+         4. Try search

+         5. Delete Entry,test USER_ANUJ, ACI

+     :expectedresults:

+         1. Operation should success

+         2. Operation should success

+         3. Operation should success

+         4. Operation should Fail

+         5. Operation should success

+     """

+     testuser = UserAccount(topo.standalone, "cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX))

+     testuser.create(properties={

+         'uid': 'Anuj12',

+         'cn': 'Anuj12',

+         'sn': 'user',

+         'uidNumber': '1000',

+         'gidNumber': '2000',

+         'homeDirectory': '/home/' + 'Anuj12'

+     })

+ 

+     ACI_TARGET = "(targetattr = uid)"

+     ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'

+     ACI_SUBJECT = 'userdn="ldap:///anyone";)'

+     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)

+     conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)

+     # aci will block only uid=*

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+     conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)

+     # aci will block only uid=*

+     assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))

+     # with root there is no aci blockage

+     assert 3 == len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))

+     testuser.delete()

+ 

+ 

+ if __name__ == "__main__":

+     CURRENT_FILE = os.path.realpath(__file__)

+     pytest.main("-s -v %s" % CURRENT_FILE)

Port ACI test suit from TET to python3(Search)

https://pagure.io/389-ds-base/issue/50112

Reviewed by: ???

Not really sure about this formatting here. Maybe:

assert(1 == list(len(conn.search_s(...))))

Isn't there a test_user_create function you can use on userAccount?

Shouldn't this be a "d = Domain(DEFAULT_SUFFIX); l = d.get('aci'); d.set('aci', l)"?
That would avoid ensure_bytes. Generally, if you see "ensure bytes" it probably means you are doing something incorrectly, as we shouldnt' have this at a high level like tests.

Please don't use raw modify_s, there is a "object.delete('attr')" instead you can use.

Because you shtouldn't ever need raw "b'str'" types ...

If you use Domain.add here, you don't need ensure_bytes.

rebased onto 535f4f5c39cc3e488c3eb940e0e179293099c073

5 years ago

I'm sorry @aborah But I want you to self review this patch you just provided with my comments again. I looked really quickly and I still see formating and incorrect api usage changes. I really appreciate you want these changes merged, but when I provide comments they aren't just for single lines, but I provide them so that they apply to the whole patch. This means if I point out a change in one location I expect you to apply it across the whole file.

I think you should review this patch again with my comments previously in mind, and please update it. Additionally, I think the "please merge if ok" is maybe not the right language to use in a project like this. The team will make the decision when we are ready. Thanks,

rebased onto cecc69ec05a82ec1a9c6e32483955d7a8c429a4e

5 years ago

This style of formatting is something I raised in my review, and it's not been corrected.

rebased onto 466a6e4b07ea4abe42552c2114ef957deab5f2cf

5 years ago

rebased onto 0083b08b4130c83d0e3ecdd739fd3281bdc1da17

5 years ago

You don't need a list comprehension here, just use conn.search_s as it already returns a list .....

Can you comment what this is trying to achieve (I think it's checking aci's show different number of users ...)

Why uniquemember and not member? Group in ds should be groupOfNames not groupOfUniqueNames ....

You define dn twice. Consider format strings instead "ou=%s,%s" % (thing, suffix)

Create test user already exists in the UserAccount class I think ....

Create test user already exists in the UserAccount class I think ....

Yes there is one , but while creating user with Create test user already exists in the UserAccount class, user will be like uid='', but for some of the test cases i need users with cn='',
thats why i am using this one .

Why uniquemember and not member? Group in ds should be groupOfNames not groupOfUniqueNames ....

as test case says test_deny_access_to_group_should_deny_access_to_all_uniquemember , thats why i am adding users as uniquemember

rebased onto 44b6e96a8b44603492f0ae4f57d14d75508e745a

5 years ago

Why do you have seperate create test functions here? We can add more to core lib389 if needed that are generic over a variety of tests instead of adding them to every suite individually.

rebased onto 7e8fdab047794d5c63a6bb1df0b2dd2f38341138

5 years ago

@firstyear , i have removed whole working_constans.py now only generic create_test functions are there .

You shouldn't need raw search, there are other ways to check this.

I am only going to comment on this that you have again, used a raw search_s() function. There are other ways to achieve this. For example:

users = UserAccounts(inst, DEFAULT_SUFFIX)
users.list()

That's it! Note the 's', which pluralises the object type. UserAccounts represents "all possible userAccounts" on the directory Server, and thus, allows you to wrap and search based on who the inst is bound as.

I am only going to comment on this that you have again, used a raw search_s() function. There are other ways to achieve this. For example:
users = UserAccounts(inst, DEFAULT_SUFFIX)
users.list()

That's it! Note the 's', which pluralises the object type. UserAccounts represents "all possible userAccounts" on the directory Server, and thus, allows you to wrap and search based on who the inst is bound as.

For bellow case what will be the solution , as per the test case aci allows only targetattr="mail"

Domain(topo.standalone, DEFAULT_SUFFIX).replace("aci", '(target="ldap:///{}")(targetattr="mail")''(version 3.0; acl "Test";allow (read,search,compare) ''(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX))

conn = UserAccount(topo.standalone, "").bind("")
# aci will allow only mail targetattr
assert 3 == len(conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "mail=*"))
# aci will allow only mail targetattr
assert 0 == len(conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "cn=*"))

rebased onto 94bb873bf875fe658a7d1b4874a233ae77d540b0

5 years ago

@aborah

user_conn = UserAccount(inst, "").bind("") # See my rcomments about making an anonymous type
AnonUserView = UserAccounts(use_conn, DEFAULT_SUFFIX)
users = AnonUserView.list() # Should return no entries because cn is not searchable

We'll need to add a generic filter type to handle the mail=* case. This is a perfect example of "if we do extra work today to fix it properly" we never have to fix it ever ever again.

PS: This means, open a new ticket for "Add generic filter to DSLdapObjects" ticket, and you will implement that first and separately, in isolation, with tests, then we'll rebase onto that work from here.

@firstyear where should i put it , any suggestion how to approach , like how to do the job done

You already opened a ticket for this? https://pagure.io/389-ds-base/issue/50219 So I guess that's where...

rebased onto 6a866f5e8bbd6add0c8d80c7795462c26523fd94

5 years ago

@firstyear we have already implemented filter and changes are done in the scripts accordingly . Please check

rebased onto 69d7a0f0f3636724cbcfffdb2d81f2873201e064

5 years ago

I'll check monday if that's okay.

rebased onto ed538309d95433bc72bf356ae6cba1fecdc63130

5 years ago

rebased onto f8f6869bc71824e7abbb7f24159fcd2566712baf

5 years ago

@aborah, I would like to run the tests would it be possible to set the aci logs for all tests.
Should be something like instance.config.loglevel((ErrorLog.LOG_ACL_SUMMARY,))"

rebased onto ece9871ba2c5953996cff021165b6a48c1b54a8a

5 years ago

rebased onto c3bb6fbc4cd21b309944bd3a4894fe1bcd26fad3

5 years ago

@aborah, I would like to validate some testcase to be sure we are testing what we expect to validate. Will do it next week

You know you don't need this syntax? The following is cleaner:

ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
for i in ['a', 'b']: #lazy names
    ous.create(properties={'ou': i})

Learn to use the multiple versions of dsldapobjects. Every "type" (with a handful of exceptions, mainly config) has a pair of types.

There is the DSLdapObject (singular) that represents "a single entry in the directory" and manipulations of that.

There is DSLdapObjects (plural) that represents "the concept of all of the entry type in the directory" and interactions with all of them.

The idea is that you have say "Groups" which represents "all possible groups that exist", and a "Group" which is one group, that really really exists and can be interacted with.

So when you are creating a new group, you say "Groups.create()", because you are saying "To the set of all possible groups, I create a new group". Because Groups "knows" what a group should look like, and where, it creates it in the right spot for you.

In this case, OU's plural always creates "directly under default suffix", so using the pattern above is nicer

Now continuing the lesson, here you do this horrid looking weird "name,ou=..." syntax. When what you actually want is:

users = UserAccounts(topo.standalone, basedn='ou=Product Development,DEFAULT_SUFFIX')
users.create(properties={
    'uid': 'jeff',
    ...
})

In a similar way to above, this UserAccounts (plural), is saying "for the concept of all users that could possible exist under ou=Product Development,..." then of course, the .create knows how to put the jeff object in exactly the right place!

Remember, you use for loops to eliminate repeated work, but here you are actually doing different work (there are two ou's you create in), so just do the above segment twice. Over optimisation leads to situations like this.

Don't use accounts here, it will do something you don't expect. OU's are VALID ACCOUNTS. which is absoluely insane and broken, but that's LDAP for you. You should be more specific to the type you are accessing like UserAccounts or something.

Now continuing the lesson, here you do this horrid looking weird "name,ou=..." syntax. When what you actually want is:
users = UserAccounts(topo.standalone, basedn='ou=Product Development,DEFAULT_SUFFIX')
users.create(properties={
'uid': 'jeff',
...
})

In a similar way to above, this UserAccounts (plural), is saying "for the concept of all users that could possible exist under ou=Product Development,..." then of course, the .create knows how to put the jeff object in exactly the right place!
Remember, you use for loops to eliminate repeated work, but here you are actually doing different work (there are two ou's you create in), so just do the above segment twice. Over optimisation leads to situations like this.

You did not check the rdn (ou) value both are different:

for i in ['Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting']:
UserAccount(topo.standalone, "cn={},{}".format(i, DEFAULT_SUFFIX)).create(properties={

anyway i have changed it to UserAccounts()

rebased onto 9e3769d50d81e30d6fd2cd4221867a7f82349f60

5 years ago

rebased onto 2475e986e993d45ff16cd4c7e66acc8d4b79d14d

5 years ago

The tests looks good to me.
Please to simplify the read of the testcase, rename 'USER_DELADD" into "USER_ANUJ" and "USER_WITH_ACI_DELADD" into "USER_ANANDA"

rebased onto 847e2bc93a612b13ea8204aa5a35681d0af5121c

5 years ago

@aborah, I review and check validity of few TC. Note I can not review/verify all of them.
You have my ACK.
Please wait for @firstyear apporval before merging

rebased onto 656a6c9

5 years ago

@firstyear , this one got @tbordaz approval please check

Pull-Request has been merged by firstyear

5 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3235

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

3 years ago