389-ds-base

Clone
Source Code
GIT

#50180 Issue: 50112 - Port ACI test suit from TET to python3(keyaci)
Closed 3 years ago by spichugi. Opened 5 years ago by aborah.
aborah/389-ds-base key  into  master

file added
+125 
@@ -0,0 +1,125 @@ 
 

+ # --- BEGIN COPYRIGHT BLOCK ---
 

+ # Copyright (C) 2019 Red Hat, Inc.
 

+ # All rights reserved.
 

+ #
 

+ # License: GPL (version 3 or any later version).
 

+ # See LICENSE for details.
 

+ # --- END COPYRIGHT BLOCK ----
 

+ 

+ """
 

+ This is the config file for keywords test scripts.
 

+ 

+ """
 

+ 

+ import pytest
 

+ 

+ from lib389._constants import DEFAULT_SUFFIX, PW_DM
 

+ from lib389.idm.user import  UserAccounts
 

+ from lib389.idm.organizationalunit import OrganizationalUnit, OrganizationalUnits
 

+ from lib389.topologies import topology_st as topo
 

+ from lib389.idm.domain import Domain
 

+ 

+ 

+ @pytest.fixture(scope="function")
 

+ def aci_of_user(request, topo):
 

+     """
 

+     Removes and Restores ACIs after the test.
 

+     """
 

+     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals_utf8('aci')
 

+ 

+     def finofaci():
 

+         """
 

+         Removes and Restores ACIs after the test.
 

+         """
 

+         domain = Domain(topo.standalone, DEFAULT_SUFFIX)
 

+         domain.remove_all('aci')
 

+         for aci in aci_list:
 

+             domain.add("aci", aci)
 

+ 

+     request.addfinalizer(finofaci)
 

+ 

+ 

+ @pytest.fixture(scope="module")
 

+ def add_user(request, topo):
 

+     """
 

+     This function will create user for the test and in the end entries will be deleted .
 

+     """
 

+     ous_origin = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
 

+     ou_origin = ous_origin.create(properties={'ou': 'Keywords'})
 

+ 

+     ous_next = OrganizationalUnits(topo.standalone, ou_origin.dn)
 

+     for ou in ['Authmethod', 'Dayofweek', 'DNS', 'IP', 'Timeofday']:
 

+         ous_next.create(properties={'ou': ou})
 

+ 

+     users_day_of_week = UserAccounts(topo.standalone, f"ou=Dayofweek,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
 

+     for user in ['EVERYDAY_KEY', 'TODAY_KEY', 'NODAY_KEY']:
 

+         users_day_of_week.create(properties={
 

+             'uid': user,
 

+             'cn': user,
 

+             'sn': 'user',
 

+             'uidNumber': '1000',
 

+             'gidNumber': '2000',
 

+             'homeDirectory': '/home/' + user,
 

+             'userPassword': PW_DM
 

+         })
 

+ 

+     users_ip = UserAccounts(topo.standalone, f"ou=IP,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
 

+     for user in ['FULLIP_KEY', 'NETSCAPEIP_KEY', 'NOIP_KEY']:
 

+         users_ip.create(properties={
 

+             'uid': user,
 

+             'cn': user,
 

+             'sn': 'user',
 

+             'uidNumber': '1000',
 

+             'gidNumber': '2000',
 

+             'homeDirectory': '/home/' + user,
 

+             'userPassword': PW_DM
 

+         })
 

+ 

+     users_timeof_day = UserAccounts(topo.standalone, f"ou=Timeofday,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
 

+     for user in ['FULLWORKER_KEY', 'DAYWORKER_KEY', 'NOWORKER_KEY', 'NIGHTWORKER_KEY']:
 

+         users_timeof_day.create(properties={
 

+             'uid': user,
 

+             'cn': user,
 

+             'sn': 'user',
 

+             'uidNumber': '1000',
 

+             'gidNumber': '2000',
 

+             'homeDirectory': '/home/' + user,
 

+             'userPassword': PW_DM
 

+         })
 

+ 

+     users_authmethod = UserAccounts(topo.standalone, f"ou=Authmethod,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
 

+     for user in ['NONE_1_KEY', 'NONE_2_KEY', 'SIMPLE_1_KEY']:
 

+         users_authmethod.create(properties={
 

+             'uid': user,
 

+             'cn': user,
 

+             'sn': 'user',
 

+             'uidNumber': '1000',
 

+             'gidNumber': '2000',
 

+             'homeDirectory': '/home/' + user,
 

+             'userPassword': PW_DM
 

+         })
 

+ 

+     users_dns = UserAccounts(topo.standalone, f"ou=DNS,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
 

+     for user in ['FULLDNS_KEY', 'SUNDNS_KEY', 'NODNS_KEY', 'NETSCAPEDNS_KEY']:
 

+         users_dns.create(properties={
 

+             'uid': user,
 

+             'cn': user,
 

+             'sn': 'user',
 

+             'uidNumber': '1000',
 

+             'gidNumber': '2000',
 

+             'homeDirectory': '/home/' + user,
 

+             'userPassword': PW_DM
 

+         })
 

+ 

+     def fin():
 

+         """
 

+         Deletes entries after the test.
 

+         """
 

+         for user in users_day_of_week.list() + users_ip.list() + users_timeof_day.list() + \
 

+                      users_authmethod.list() + users_dns.list():
 

+             user.delete()
 

+ 

+         for ou in sorted(ous_next.list(), key=lambda x: len(x.dn), reverse=True):
 

+             ou.delete()
 

+ 

+     request.addfinalizer(fin)

file added
+386 
@@ -0,0 +1,386 @@ 
 

+ # --- BEGIN COPYRIGHT BLOCK ---
 

+ # Copyright (C) 2019 Red Hat, Inc.
 

+ # All rights reserved.
 

+ #
 

+ # License: GPL (version 3 or any later version).
 

+ # See LICENSE for details.
 

+ # --- END COPYRIGHT BLOCK ----
 

+ 

+ 

+ """
 

+ This test script will test wrong/correct key value with ACIs.
 

+ """
 

+ 

+ import os
 

+ import time
 

+ from datetime import datetime
 

+ import pytest
 

+ 

+ from lib389._constants import DEFAULT_SUFFIX, PW_DM
 

+ from lib389.idm.domain import Domain
 

+ from lib389.idm.organizationalunit import OrganizationalUnit
 

+ from lib389.idm.user import UserAccount
 

+ 

+ import ldap
 

+ 

+ 

+ KEYWORDS_OU_KEY = "ou=Keywords,{}".format(DEFAULT_SUFFIX)
 

+ DAYOFWEEK_OU_KEY = "ou=Dayofweek,{}".format(KEYWORDS_OU_KEY)
 

+ IP_OU_KEY = "ou=IP,{}".format(KEYWORDS_OU_KEY)
 

+ TIMEOFDAY_OU_KEY = "ou=Timeofday,{}".format(KEYWORDS_OU_KEY)
 

+ EVERYDAY_KEY = "uid=EVERYDAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
 

+ TODAY_KEY = "uid=TODAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
 

+ NODAY_KEY = "uid=NODAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
 

+ FULLIP_KEY = "uid=FULLIP_KEY,{}".format(IP_OU_KEY)
 

+ NETSCAPEIP_KEY = "uid=NETSCAPEIP_KEY,{}".format(IP_OU_KEY)
 

+ NOIP_KEY = "uid=NOIP_KEY,{}".format(IP_OU_KEY)
 

+ FULLWORKER_KEY = "uid=FULLWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
 

+ DAYWORKER_KEY = "uid=DAYWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
 

+ NIGHTWORKER_KEY = "uid=NIGHTWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
 

+ NOWORKER_KEY = "uid=NOWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
 

+ 

+ 

+ def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
 

+     """
 

+     User can access the data when connecting from certain network only as per the ACI.
 

+ 

+     :id:4ec38296-7ac5-11e8-9816-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Turn access log buffering off to make less time consuming
 

+     topo.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')
 

+ 

+     # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
 

+     # Wait till Access Log is generated
 

+     topo.standalone.restart()
 

+ 

+     ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
 

+ 

+     # Add ACI
 

+     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
 

+     domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
 

+                       f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
 

+ 

+     # create a new connection for the test
 

+     conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, IP_OU_KEY)
 

+     org.replace("seeAlso", "cn=1")
 

+     # remove the aci
 

+     domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci '
 

+                                  f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
 

+                                  f'ip = "{ip_ip}" ;)')
 

+     # Now add aci with new ip
 

+     domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
 

+                       f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)')
 

+ 

+     # After changing  the ip user cant access data
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
 

+     """
 

+     User cannot access the data when connectin from an unauthorized network as per the ACI.
 

+ 

+     :id:52d1ecce-7ac5-11e8-9ad9-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
 

+     ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
 

+     # Add ACI
 

+     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
 

+     domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
 

+                       f'(targetattr=*)(version 3.0; aci "IP aci"; '
 

+                       f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
 

+                       f'and ip != "{ip_ip}" ;)')
 

+ 

+     # create a new connection for the test
 

+     conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, IP_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+     # Remove the ACI
 

+     domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
 

+     # Add new ACI
 

+     domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
 

+                       f'(version 3.0; aci "IP aci"; allow(all) '
 

+                       f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
 

+ 

+     # now user can access data
 

+     org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
 

+     """
 

+     User NoIP cannot assess the data as per the ACI.
 

+ 

+     :id:570bc7f6-7ac5-11e8-88c1-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone,
 

+            DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
 

+                                       f'(targetattr=*)(version 3.0; aci "IP aci"; allow(all) '
 

+                                       f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, IP_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
 

+     """
 

+     User can access the data at any time as per the ACI.
 

+ 

+     :id:5b4da91a-7ac5-11e8-bbda-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone,
 

+            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
 

+                                       f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
 

+                                       f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
 

+                                       f'(timeofday >= "0000" and timeofday <= "2359") ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
 

+     org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_can_access_the_data_only_in_the_morning(topo, add_user, aci_of_user):
 

+     """
 

+     User can access the data only in the morning as per the ACI.
 

+ 

+     :id:5f7d380c-7ac5-11e8-8124-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone,
 

+            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
 

+                                       f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
 

+                                       f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '
 

+                                       f'and timeofday < "1200" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, DAYWORKER_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
 

+     if datetime.now().hour >= 12:
 

+         with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+             org.replace("seeAlso", "cn=1")
 

+     else:
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user):
 

+     """
 

+     User can access the data only in the afternoon as per the ACI.
 

+ 

+     :id:63eb5b1c-7ac5-11e8-bd46-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone,
 

+            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
 

+                                       f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
 

+                                       f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
 

+                                       f'and timeofday > \'1200\' ;)')
 

+ 

+     # create a new connection for the test
 

+     conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
 

+     if datetime.now().hour < 12:
 

+         with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+             org.replace("seeAlso", "cn=1")
 

+     else:
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_timeofday_keyword(topo, add_user, aci_of_user):
 

+     """
 

+     User NOWORKER_KEY can access the data as per the ACI after removing
 

+     ACI it cant.
 

+ 

+     :id:681dd58e-7ac5-11e8-bed1-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     now = time.strftime("%c")
 

+     now_1 = "".join(now.split()[3].split(":"))[:4]
 

+     # Add ACI
 

+     domain = Domain(topo.standalone, DEFAULT_SUFFIX)
 

+     domain.add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
 

+                       f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
 

+                       f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
 

+                       f'and timeofday = \'{now_1}\' ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
 

+     org.replace("seeAlso", "cn=1")
 

+     # Remove ACI
 

+     aci = domain.get_attr_vals_utf8('aci')[-1]
 

+     domain.ensure_removed('aci', aci)
 

+     assert aci not in domain.get_attr_vals_utf8('aci')
 

+     # after removing the ACI user cannot access the data
 

+     time.sleep(1)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user):
 

+     """
 

+     User can access the data EVERYDAY_KEY as per the ACI.
 

+ 

+     :id:6c5922ca-7ac5-11e8-8f01-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone,
 

+            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
 

+                                       f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
 

+                                       f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
 

+                                       f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
 

+     org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
 

+     """
 

+     User can access the data one day per week as per the ACI.
 

+ 

+     :id:7131dc88-7ac5-11e8-acc2-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     today_1 = time.strftime("%c").split()[0]
 

+     # Add ACI
 

+     Domain(topo.standalone,
 

+            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
 

+                                       f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
 

+                                       f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
 

+                                       f'and dayofweek = \'{today_1}\' ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
 

+     org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
 

+     """
 

+     User cannot access the data at all as per the ACI.
 

+ 

+     :id:75cdac5e-7ac5-11e8-968a-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone,
 

+            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
 

+                                       f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
 

+                                       f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
 

+                                       f'and dayofweek = "$NEW_DATE" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ if __name__ == "__main__":
 

+     CURRENT_FILE = os.path.realpath(__file__)
 

+     pytest.main("-s -v %s" % CURRENT_FILE)

file added
+462 
@@ -0,0 +1,462 @@ 
 

+ # --- BEGIN COPYRIGHT BLOCK ---
 

+ # Copyright (C) 2019 Red Hat, Inc.
 

+ # All rights reserved.
 

+ #
 

+ # License: GPL (version 3 or any later version).
 

+ # See LICENSE for details.
 

+ # --- END COPYRIGHT BLOCK ----
 

+ 

+ """
 

+ This test script will test wrong/correct key value with ACIs.
 

+ """
 

+ 

+ import os
 

+ import socket
 

+ import pytest
 

+ 

+ from lib389.idm.account import Anonymous
 

+ from lib389._constants import DEFAULT_SUFFIX, PW_DM
 

+ from lib389.idm.domain import Domain
 

+ from lib389.idm.organizationalunit import OrganizationalUnit
 

+ from lib389.idm.user import UserAccount
 

+ 

+ import ldap
 

+ 

+ 

+ KEYWORDS_OU_KEY = "ou=Keywords,{}".format(DEFAULT_SUFFIX)
 

+ DNS_OU_KEY = "ou=DNS,{}".format(KEYWORDS_OU_KEY)
 

+ IP_OU_KEY = "ou=IP,{}".format(KEYWORDS_OU_KEY)
 

+ FULLIP_KEY = "uid=FULLIP_KEY,{}".format(IP_OU_KEY)
 

+ AUTHMETHOD_OU_KEY = "ou=Authmethod,{}".format(KEYWORDS_OU_KEY)
 

+ SIMPLE_1_KEY = "uid=SIMPLE_1_KEY,{}".format(AUTHMETHOD_OU_KEY)
 

+ FULLDNS_KEY = "uid=FULLDNS_KEY,{}".format(DNS_OU_KEY)
 

+ SUNDNS_KEY = "uid=SUNDNS_KEY,{}".format(DNS_OU_KEY)
 

+ NODNS_KEY = "uid=NODNS_KEY,{}".format(DNS_OU_KEY)
 

+ NETSCAPEDNS_KEY = "uid=NETSCAPEDNS_KEY,{}".format(DNS_OU_KEY)
 

+ NONE_1_KEY = "uid=NONE_1_KEY,{}".format(AUTHMETHOD_OU_KEY)
 

+ NONE_2_KEY = "uid=NONE_2_KEY,{}".format(AUTHMETHOD_OU_KEY)
 

+ 

+ 

+ NONE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
 

+                f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
 

+                f'allow(all) userdn = "ldap:///{NONE_1_KEY}" and authmethod = "none" ;)'
 

+ 

+ SIMPLE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
 

+                  f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
 

+                  f'allow(all) userdn = "ldap:///{SIMPLE_1_KEY}" and authmethod = "simple" ;)'
 

+ 

+ 

+ def _add_aci(topo, name):
 

+     """
 

+     This function will add ACI to  DEFAULT_SUFFIX
 

+     """
 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", name)
 

+ 

+ 

+ def test_user_binds_with_a_password_and_can_access_the_data(topo, add_user, aci_of_user):
 

+     """
 

+     User binds with a password and can access the data as per the ACI.
 

+ 

+     :id:f6c4b6f0-7ac4-11e8-a517-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     _add_aci(topo, NONE_ACI_KEY)
 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NONE_1_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, AUTHMETHOD_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_binds_with_a_bad_password_and_cannot_access_the_data(topo, add_user, aci_of_user):
 

+     """
 

+     User binds with a BAD password and cannot access the data .
 

+ 

+     :id:0397744e-7ac5-11e8-bfb1-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # User binds with a bad password and cannot access the data
 

+     with pytest.raises(ldap.UNWILLING_TO_PERFORM):
 

+         UserAccount(topo.standalone, NONE_1_KEY).bind("")
 

+ 

+ 

+ def test_anonymous_user_cannot_access_the_data(topo, add_user, aci_of_user):
 

+     """
 

+     Anonymous user cannot access the data
 

+ 

+     :id:0821a55c-7ac5-11e8-b214-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     _add_aci(topo, NONE_ACI_KEY)
 

+ 

+     # Create a new connection for this test.
 

+     conn = Anonymous(topo.standalone).bind()
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_authenticated_but_has_no_rigth_on_the_data(topo, add_user, aci_of_user):
 

+     """
 

+     User has a password. He is authenticated but has no rigth on the data.
 

+ 

+     :id:11be7ebe-7ac5-11e8-b754-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     _add_aci(topo, NONE_ACI_KEY)
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_the_bind_client_is_accessing_the_directory(topo, add_user, aci_of_user):
 

+     """
 

+      The bind rule is evaluated to be true if the client is accessing the directory as per the ACI.
 

+ 

+      :id:1715bfb2-7ac5-11e8-8f2c-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     _add_aci(topo, SIMPLE_ACI_KEY)
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, AUTHMETHOD_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_users_binds_with_a_password_and_can_access_the_data(
 

+         topo, add_user, aci_of_user):
 

+     """
 

+     User binds with a password and can access the data as per the ACI.
 

+ 

+     :id:1bd01cb4-7ac5-11e8-a2f1-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     _add_aci(topo, SIMPLE_ACI_KEY)
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, AUTHMETHOD_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_binds_without_any_password_and_cannot_access_the_data(topo, add_user, aci_of_user):
 

+     """
 

+     User binds without any password and cannot access the data
 

+ 

+     :id:205777fa-7ac5-11e8-ba2f-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     _add_aci(topo, SIMPLE_ACI_KEY)
 

+ 

+     # Create a new connection for this test.
 

+     conn = Anonymous(topo.standalone).bind()
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_can_access_the_data_when_connecting_from_any_machine(
 

+         topo, add_user, aci_of_user
 

+ ):
 

+     """
 

+     User can access the data when connecting from any machine as per the ACI.
 

+ 

+     :id:28cbc008-7ac5-11e8-934e-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX)\
 

+         .add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
 

+                     f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
 

+                     f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, FULLDNS_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
 

+         topo, add_user, aci_of_user
 

+ ):
 

+     """
 

+     User can access the data when connecting from internal ICNC network only as per the ACI.
 

+     :id:2cac2136-7ac5-11e8-8328-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     dns_name = socket.getfqdn()
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX).\
 

+         add("aci", [f'(target = "ldap:///{DNS_OU_KEY}")'
 

+                     f'(targetattr=*)(version 3.0; aci "DNS aci"; '
 

+                     f'allow(all) userdn = "ldap:///{SUNDNS_KEY}" and dns = "*redhat.com" ;)',
 

+                     f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
 

+                     f'(version 3.0; aci "DNS aci"; allow(all) '
 

+                     f'userdn = "ldap:///{SUNDNS_KEY}" and dns = "{dns_name}" ;)'])
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, SUNDNS_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_can_access_the_data_when_connecting_from_some_network_only(
 

+         topo, add_user, aci_of_user
 

+ ):
 

+     """
 

+     User can access the data when connecting from some network only as per the ACI.
 

+ 

+     :id:3098512a-7ac5-11e8-af85-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     dns_name = socket.getfqdn()
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX)\
 

+         .add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
 

+                     f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
 

+                     f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
 

+                     f'and dns = "{dns_name}" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
 

+     """
 

+     User cannot access the data when connecting from an unauthorized network as per the ACI.
 

+ 

+     :id:34cf9726-7ac5-11e8-bc12-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX).\
 

+         add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
 

+                    f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
 

+                    f'userdn = "ldap:///{NETSCAPEDNS_KEY}" and dns != "red.iplanet.com" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2(
 

+         topo, add_user, aci_of_user):
 

+     """
 

+     User cannot access the data when connecting from an unauthorized network as per the ACI.
 

+ 

+     :id:396bdd44-7ac5-11e8-8014-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX).\
 

+         add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
 

+                    f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
 

+                    f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
 

+                    f'and dnsalias != "www.redhat.com" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_cannot_access_the_data_if_not_from_a_certain_domain(topo, add_user, aci_of_user):
 

+     """
 

+     User cannot access the data if not from a certain domain as per the ACI.
 

+     :id:3d658972-7ac5-11e8-930f-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX).\
 

+         add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
 

+                    f'(version 3.0; aci "DNS aci"; allow(all) '
 

+                    f'userdn = "ldap:///{NODNS_KEY}" '
 

+                    f'and dns = "RAP.rock.SALSA.house.COM" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
 

+     """
 

+     Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
 

+ 

+     :id:41b467be-7ac5-11e8-89a3-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX).\
 

+         add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
 

+                    f'(version 3.0; aci "DNS aci"; allow(all) '
 

+                    f'userdn = "ldap:///{NODNS_KEY}" and '
 

+                    f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     org = OrganizationalUnit(conn, DNS_OU_KEY)
 

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):
 

+         org.replace("seeAlso", "cn=1")
 

+ 

+ 

+ def test_user_can_access_the_data_when_connecting_from_any_machine_2(topo, add_user, aci_of_user):
 

+     """
 

+     User can access the data when connecting from any machine as per the ACI.
 

+ 

+     :id:461e761e-7ac5-11e8-9ae4-8c16451d917b
 

+     :setup: Standalone Server
 

+     :steps:
 

+         1. Add test entry
 

+         2. Add ACI
 

+         3. User should follow ACI role
 

+     :expectedresults:
 

+         1. Entry should be added
 

+         2. Operation should  succeed
 

+         3. Operation should  succeed
 

+     """
 

+     # Add ACI
 

+     Domain(topo.standalone, DEFAULT_SUFFIX).\
 

+         add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr=*)'
 

+                    f'(version 3.0; aci "IP aci"; allow(all) '
 

+                    f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
 

+ 

+     # Create a new connection for this test.
 

+     conn = UserAccount(topo.standalone, FULLIP_KEY).bind(PW_DM)
 

+     # Perform Operation
 

+     OrganizationalUnit(conn, IP_OU_KEY).replace("seeAlso", "cn=1")
 

+ 

+ 

+ if __name__ == "__main__":
 

+     CURRENT_FILE = os.path.realpath(__file__)
 

+     pytest.main("-s -v %s" % CURRENT_FILE)

Port ACI test suit from TET to python3(keyaci)

https://pagure.io/389-ds-base/issue/50112

Reviewed by: ???

rebased onto 17579d7f79130dea5f580e4042c2df7b6b7d0d85
5 years ago

rebased onto 3ef9d5ae844be2ae034edacdd2a0edf8bad40dc9
5 years ago

rebased onto 5389a8a887f2b8e800b53b965495b3acad77d960
5 years ago

rebased onto 2785fd0936e07e02a217b9479b859f127cdbbdda
5 years ago

rebased onto 7f273a0a7f2edacde77c3c77f760058491070d6c
5 years ago

Seems okay to me, but should probably get @spichugi or @firstyear to look it over as well.

A lot of issues that you have here, already mentioned by @firstyear in previous PRs.
I'll go once again through the stuff - just to be more explicit...

But. Let's first fix small issues regarding the code. It will increase the readability and it covers 80% of the issues we usually mention in the review.

Please, run this and fix the issues it points out:

pip3 install pytest-pylint
py.test --pylint -m pylint dirsrvtests/tests/suites/acl/keywords_part2_test.py dirsrvtests/tests/suites/acl/keywords_test.py

Also, reach to me or any of us if you have any doubts about the report.
Edited 5 years ago by spichugi

rebased onto cda118046e82f0ef88e32c2c01781568bf77496f
5 years ago

This may not work the way you want. Imagine I have my hosts file setup as:

172.24.10.1     systemhostname.localdomain

So socket.gethostname will give me my hostname, then it will give me the 172.24.x.x address BUT we are connected to the the test instance via localhost.

So I think this will have issues in containers and other host configurations.

Possibly the best thing to do here is actually just make ip '127.0.0.1', because in tests we generally connect to localhost only, and we should only be using that. Check topologies.py maybe.

'(target = "ldap:///{}")(targetattr=*)(version 3.0; aci "IP aci"; allow(all) userdn = "ldap:///{}" and ip != "{}" ;)'

This could be turned into an ACI_TEMPLATE constant that you populate into, and use named formats, not positional, for clarity.

You have this mod_seealso, but it only replaces one line? You also by doing the _mod_seealso are sneaky violating a rule I told you: ONLY test the exceptions
from a single function.

Your modsee also is initing the object with the conn and doing the read, when you actually, should have the object create outside of the "with pytest.raises".

Remember, all your code must follow this pattern. "correct, simple, fast". you have targetted "simple, correct, fast". As a result, you have broken a correctness rule by prematurely trying to over simplify.

This is not a good test because you are relying on external state of the system to then check the TIME, and determine results.

Consider the CI server. It only runs at about 12:00 my time AEST, so that's probably about 02:00AM UTC at a guess. So then this test in CI will ONLY ever
attempt the MORNING path, and will never actually check the AFTERNOON path. Before you say "but there is a test data in the afternoon ..." time is continually flowing, and so between this test and the afternoon test what happens if it goes from morning to afternoon? Now what? There are cases left untested.

A better solution is to take the current time, +- 2 hours either side as your allow window, then check you are allowed. Then have a denied test where you have +12 (+- 2 hours) from now, and assert it's denied.

No timezone issues, now flow issues, no risks.

A better solution is LD_PRELOAD a time shim into the server but that's wayyyyy out of scope.

ALso, this is probably a really ineffective way to get a datetime. You actually want:

>>> from datetime import datetime
>>> datetime.now()
>>> datetime.now().hour

I don't really know why you chose to code this like this, but it seems like instead of taking the time to research the right way to do it, you chose to rush and bruteforce a solution.

This is not a clear explanation, and your test code isn't clear what the ACI is testing due to your use of constants. I think you need a much better comment here about what this is attempting to do.

Similar: this is not a good comment. WHY can they not access the data? How is the ACI constructed to not allow the access?

Why?

Email says @aborah has commented, but they are not appearing.

ip = socket.gethostbyname(socket.gethostname()) --->>> This is the real ip of my machine.
If i have to follow you point , i have to assign '127.0.0.1' to my machine or test will fail .

socket.gethostbyname(socket.gethostname()) is the universal way to detect any ip address . If
your machine have ip of "127.0.0.1", socket.gethostbyname(socket.gethostname()) will detect it
and will assign it to aci .

I'm sorry, but this is incorrect in this context. gethostname get's you the primary interface of the machine, and only if your hosts file is filled correctly. Imagine my machine hostname was "candice" but /etc/hosts didn't have that entry? Then socket.gethostbyname will fail because there is no host candice.

When you are writing tests like this, the only ip you can guarantee will exist is 127.0.0.1. That's it. As well, you are always connecting by localhost (because that's what DirSrv does in tests!). Which means if you want to test an ACI by ip, you have to test by the ip we are connecting on which is always localhost. There is no way for you to avoid that.

Perhaps to make this more clear, here the output of ip from my docker env:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
12: eth0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

So here, socket gethostname will give me 'ldapkdc.example.com' for the container, that then resolves to '172.17.0.4', but dirsrv will connect via localhost, so will bypass the aci anyway.

For a different example, my laptop:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    nd6 options=201<PERFORMNUD,DAD>
...
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 38:f9:d3:51:eb:07
    inet6 fe80::1c5e:d5d5:c994:6652%en0 prefixlen 64 secured scopeid 0xa
    inet 192.168.1.119 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: active

>>> import socket
>>> socket.gethostname()
'amethyst'
>>> socket.gethostbyname('amethyst')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
socket.gaierror: [Errno 8] nodename nor servname provided, or not known

So the test would FAIL on my machine here, because my hosts is:

127.0.0.1   localhost
255.255.255.255 broadcasthost
::1             localhost
fe80::1%lo0 localhost

Please, just use localhost. I'm offering a simpler, more robust way for you to conduct the test case here (just use localhost), but instead you seem to be arguing for a more complex, less portable, more fragile solution? I'm won't accept it I'm sorry.

rebased onto 550bb86943571086cd30aaabab507f2717f0c6d3
5 years ago

Changes are done , Please check

rebased onto 31500960a5a566f39c7e4b32bd43ade5ed2ea1d3
5 years ago

@spichugi , @firstyear , please review. @mreynolds already has already ack for this one

Edited 5 years ago by aborah

The comments like this look weird. Also I don't see any sense in them if we already have the test function name and docstrings. They just repeat.

The docstring doesn't make much sense...

 
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_access_from_certain_network_only_ip 
dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_timeofday_keyword

These tests have failed for me on OpenStack machine (1minutetip).
Exceptions - DID NOT RAISE

The comments like this look weird. Also I don't see any sense in them if we already have the test function name and docstrings. They just repeat.

I've asked him to write comments explaining what the tests do, but I think these comments need work as you point out ... They should explain more about the intent, and why we test it the way we do, and why things are structured as they are for example.

These tests have failed for me on OpenStack machine (1minutetip).
Exceptions - DID NOT RAISE

This worked for me, what do you have in the logs?

rebased onto c0acc23cebea1f719f5cce63239627aeb59733b1
5 years ago

@spichugi , @firstyear , @vashirov All changes are done , please check

rebased onto 3adf6cb8a89f559c4b83ae7bd9f251f3254e9119
5 years ago

rebased onto ff75996b10ad17ab88d9b5f87b9849c6a7144681
5 years ago

rebased onto d3cf14747bc48f5d7bb0d34924b555cf1a008f79
4 years ago

rebased onto 422c90c1d7fd8e33f260c7abc93081761888d7a1
4 years ago

It should not be a docstring. Please, check other files for the example

You've just created the ou. You can use the DN from the DSLdapOject itself. Less hardcoding is better :)

You create 'Authmethod', 'DNS' but you don't use them... I can't see any reason why (except it was copy-pasted)

Please, don't use a bare DSLdapObject without a legitimate reason.
You can operate with right DSLdapObject types here and group the removal separately for ou, useraccount, etc..

We have special methods for log processing. Please, use it.
https://fedorapeople.org/~spichugi/html/dirsrv_log.html

You can fetch the log by restarting the instance.
The operation you have used is dangerous.

It fails for me on 1minutetip machine here
Failed: DID NOT RAISE <class 'ldap.INSUFFICIENT_ACCESS'>

if I recall correctly, you can put the fistures in a separate file (conftest.py) and call them here.
This way you'll get rid of the redundancy.

rebased onto ef4a755928c0c8bdbc8ac76cc25863441babf1ab
4 years ago

if I recall correctly, you can put the fistures in a separate file (conftest.py) and call them here.
This way you'll get rid of the redundancy.

I was doing exactly same as you are suggesting while pushing ACI test suits . But somebody may be firstyear or viktor advised me not to create separate files for one test suit . Just create independent test script , which can be run independently .Thats why i am not doing it .

All other changes are done as per your suggestion

Edited 4 years ago by aborah

It should be the docstring for the whole module. In this case, for the whole test suite

You also created 5 OUs. Shouldn't we remove them also?

As I said, please, use the restart operation for flushing logs

Please, use the ds_access_log fully here (it has an option for matching)

rebased onto f39a03239ef2cd89a99643ef2d91da6ee7c6d591
4 years ago

@spichugi all changes are done as per your suggestion

It looks a bit weird and implicit. What are you doing here?

It looks a bit weird and implicit. What are you doing here?

(Pdb) for i in ous_next.list(): i.dn
'ou=Keywords,dc=example,dc=com'
'ou=Dayofweek,ou=Keywords,dc=example,dc=com'
'ou=DNS,ou=Keywords,dc=example,dc=com'
'ou=IP,ou=Keywords,dc=example,dc=com'
'ou=Timeofday,ou=Keywords,dc=example,dc=com'

It contains 'ou=Keywords,dc=example,dc=com' , if you try to delete

for i in ous_next.list():
i.delete()

you will get non_leaf error , thats why i have removed it first then deleted the sub entries first
then deleted the 'ou=Keywords,dc=example,dc=com' separately.
ous = ous_next.list()
ous.pop(0)

  for i in ous:
        i.delete()

ou_origin.delete()
Edited 4 years ago by aborah

It looks a bit weird and implicit. What are you doing here?

(Pdb) for i in ous_next.list(): i.dn
'ou=Keywords,dc=example,dc=com'
'ou=Dayofweek,ou=Keywords,dc=example,dc=com'
'ou=DNS,ou=Keywords,dc=example,dc=com'
'ou=IP,ou=Keywords,dc=example,dc=com'
'ou=Timeofday,ou=Keywords,dc=example,dc=com'

You can sort the list in a way the parent will be at the end of the list.
The way you have it is too implicit and hard to follow. Also, it is hacky which we should avoid.

I was doing exactly same as you are suggesting while pushing ACI test suits . But somebody may be firstyear or viktor advised me not to create separate files for one test suit . Just create independent test script , which can be run independently .Thats why i am not doing it .

Still, I think we should put it to conftest.pt or to __init__.py. It doesn't make sense to put it to lib389 but it is redundant to have it duplicated in the both files.

Should be get_attr_vals_utf8

rebased onto ef93984fd66e3801d79b5527255b85d5ba5acf91
4 years ago

rebased onto 3223a0e42ecd2ef7f99bcddf4947a7a1bef0344e
4 years ago

@spichugi all changes are done as per your suggestion

We should have the copyright here too

All of the imports should be separated to all of the test suite files accordingly to its usage. So please, clean up them. You shouldn't import all of them in the conftest.py

rebased onto 3b4d050a749943ddc49809986f82d4603b0e7752
4 years ago

Please, sort the list.
The returned order matters.

rebased onto a29b3885a0742f96cc125e9ce530a53bd0b87930
4 years ago

Please, sort the list.
The returned order matters.

Can you please point it out again , i missed it

Please, sort the list.
The returned order matters.

Can you please point it out again , i missed it

(Pdb) ous.sort
<built-in method sort of list object at 0x7f046bb18b48>
(Pdb) ous.sort()
*** TypeError: '<' not supported between instances of 'OrganizationalUnit' and 'OrganizationalUnit'
(Pdb) ous.reverse()

it can be reversed , but cant be sorted

rebased onto a1d6254e9799c5ddbdaf579eeed9de5790229e78
4 years ago

rebased onto 757de9cd65505d93be4c05b33d1a6dcd95f83b45
4 years ago

rebased onto 7e35a199cb9d23c34148eacea543943bdca79aa7
4 years ago

@spichugi all changes are done as per your suggestion

rebased onto 5b244257999c76e28823c9cdabf2566bfcf8a0a3
4 years ago

rebased onto 53f94845fb6f8086a050ba0fefe555e4cb516ec6
4 years ago

rebased onto 61d1e12b73ea87b19de2aae6f99f094c8ec4be4e
4 years ago

Please, sort the list.
The returned order matters.
Can you please point it out again , i missed it

(Pdb) ous.sort
<built-in method="" sort="" of="" list="" object="" at="" 0x7f046bb18b48="">
(Pdb) ous.sort()
*** TypeError: '<' not supported between instances of 'OrganizationalUnit' and 'OrganizationalUnit'
(Pdb) ous.reverse()
it can be reversed , but cant be sorted

The return order of the ldapsearch (and search_s) is not defined.
To be sure, we should sort the objects.

OrganizationalUnit doesn't have sort but you still can sort.
For that, you can use sorted() function - set key to the OrganizationalUnit.dn length using a lambda function. And set reverse to True.
Then you can safely run through the list and delete the objects.

rebased onto 8aeeae3b54f47afd867ef09cdb75c3419fd02151
4 years ago

@spichugi all changes are done as per your suggestion

rebased onto 5bae063a0b771d12a977c2a868640d7a4a3a5ca5
4 years ago

You can sort directly the ous_next.list(). For that, you should set the key to the lambda function for len(i.dn).

rebased onto 9b04ab2e041b5a8d78bed8929115cc959935e143
4 years ago

@spichugi all changes are done as per your suggestion

Looks good. Small nitpick though - could you please change the i to something like ou? It is better to use meaningful names always.
Otherwise - very good job! Great

The test case still fails on 1minutetip machine.
As @viktor pointed out, it happens because of the race condition. You can see it on fast machines while no special logging is enabled.
Could you please check it (reproduce) and then fix it with a flush of the logs or some other sane way?

@spichugi , till i figure out why that specific test case is failing (on fast machines), can you please start reviewing this PR : https://pagure.io/389-ds-base/pull-request/50192
Edited 4 years ago by aborah

rebased onto 046f9e2b724145a56a328f0763efcc26f1784fdc
4 years ago

@spichugi all changes are done as per your suggestion , i have done some changes in failed test cases , hopefully these test cases will not fail now

Edited 4 years ago by aborah

Just realised, dn_dn looks pretty weird. What is it?
I suggested to use ou here because it represents OrganisationalUnit object. It is not a DN, it is a DSLdapObject.

Could you please fix it here and in other places? dn_dn is really confusing.

Please, check the documentation about conftest.py. You don't need to import it. It is used by pytest by default.

dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_timeofday_keyword still fails for me.

Also dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_connectin_from_an_unauthorized_network has strated to fail.

>       ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
E       IndexError: list index out of range

rebased onto 91361fa3db77c4930222b524b5cbae9528053457
4 years ago

rebased onto 77aa76b178e7a0e33c915d75f2f82e2f3b21512b
4 years ago

@spichugi all changes are done as per your suggestion, Can you please rerun the tests

rebased onto cfe033a6713316a40c970f4cde3f884fc4053990
4 years ago

dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_connectin_from_an_unauthorized_network is still failing but with another error.

        # now user can access data
>       org.replace("seeAlso", "cn=1")
E         ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access', 'info': "Insufficient 'write' privilege to the 'seeAlso' attribute of entry 'ou=ip,ou=keywords,dc=example,dc=com'.\n"}

And about dirsrvtests/tests/suites/acl/keywords_part2_test.py::test_timeofday_keyword...
Why did you remove the failing part of the test case instead of fixing it?
I've mentioned a possible cause of the failure here - https://pagure.io/389-ds-base/pull-request/50180#comment-85197
Edited 4 years ago by spichugi

rebased onto 468b8a8
4 years ago

@spichugi all changes are done as per your suggestion, Can you please rerun the tests

LGTM! Thanks!
Ack
Edited 4 years ago by spichugi

Pull-Request has been merged by vashirov
4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3239

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi
3 years ago
Metadata
None
No Tags
Changes Summary 3
+125
file added
dirsrvtests/tests/suites/acl/conftest.py
+386
file added
dirsrvtests/tests/suites/acl/keywords_part2_test.py
+462
file added
dirsrvtests/tests/suites/acl/keywords_test.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.