#50319 Issue:50112 - Port ACI test suit from TET to python3(Delete and Add)
Closed 3 years ago by spichugi. Opened 4 years ago by aborah.
aborah/389-ds-base deladd  into  master

@@ -0,0 +1,454 @@ 

+ # --- BEGIN COPYRIGHT BLOCK ---

+ # Copyright (C) 2019 Red Hat, Inc.

+ # All rights reserved.

+ #

+ # License: GPL (version 3 or any later version).

+ # See LICENSE for details.

+ # --- END COPYRIGHT BLOCK ---

+ 

+ """

+ Importing necessary Modules.

+ """

+ 

+ import os

+ import pytest

+ 

+ from lib389._constants import DEFAULT_SUFFIX, PW_DM

+ from lib389.idm.user import UserAccount, UserAccounts

+ from lib389.idm.group import Groups

+ from lib389.idm.organizationalunit import OrganizationalUnit, OrganizationalUnits

+ from lib389.topologies import topology_st as topo

+ from lib389.idm.domain import Domain

+ 

+ import ldap

+ 

+ 

+ USER_WITH_ACI_DELADD = 'uid=test_user_1000,ou=People,dc=example,dc=com'

+ USER_DELADD = 'uid=test_user_1,ou=Accounting,dc=example,dc=com'

+ 

+ 

+ @pytest.fixture(scope="function")

+ def _aci_of_user(request, topo):

+     """

+     Removes and Restores ACIs after the test.

+     """

+     aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

+ 

+     def finofaci():

+         """

+         Removes and Restores ACIs after the test.

+         """

+         domain = Domain(topo.standalone, DEFAULT_SUFFIX)

+         domain.remove_all('aci')

+         for i in aci_list:

+             domain.add("aci", i)

+ 

+     request.addfinalizer(finofaci)

+ 

+ 

+ @pytest.fixture(scope="function")

+ def _add_user(request, topo):

+     """

+     This function will create user for the test and in the end entries will be deleted .

+     """

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)

+     user = users.create_test_user()

+     user.set("userPassword", PW_DM)

+ 

+     ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)

+     ous.create(properties={'ou':'Accounting'})

+ 

+     users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')

+     for i in range(1, 3):

+         user = users.create_test_user(uid=i, gid=i)

+         user.set("userPassword", PW_DM)

+ 

+     def fin():

+         """

+         Deletes entries after the test.

+         """

+         users1 = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)

+         for dn_dn in users1.list():

+             dn_dn.delete()

+ 

+         groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+         for dn_dn in groups.list():

+             dn_dn.delete()

+ 

+         ou_ou = OrganizationalUnit(topo.standalone, f'ou=Accounting,{DEFAULT_SUFFIX}')

+         ou_ou.delete()

+ 

+     request.addfinalizer(fin)

+ 

+ 

+ def test_allow_delete_access_to_groupdn(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test allow delete access to groupdn

+     :id: 7cf15992-68ad-11e8-85af-54e1ad30572c

+     :setup: topo.standalone

+     :steps:

+         1. Add test entry

+         2. Add ACI that allows groupdn to delete

+         3. Delete something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Delete operation should succeed

+         4. Delete operation for ACI should succeed

+     """

+     # Create Group and add member

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"})

+     group.add_member(USER_WITH_ACI_DELADD)

+ 

+     # set aci

+     aci_target = f'(targetattr="*")'

+     aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete) '

+     aci_subject = f'groupdn="ldap:///{group.dn}";)'

+ 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Perform delete operation

+     for i in [USER_DELADD, USER_WITH_ACI_DELADD]:

+         UserAccount(conn, i).delete()

+ 

+ 

+ def test_allow_add_access_to_anyone(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to  allow add access  to anyone

+     :id: 5ca31cc4-68e0-11e8-8666-8c16451d917b

+     :setup: topo.standalone

+     :steps:

+         1. Add test entry

+         2. Add ACI that allows groupdn to add

+         3. Add something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Add operation should succeed

+         4. Delete operation for ACI should succeed

+     """

+     # set aci

+     aci_target = f'(targetattr="*")'

+     aci_allow = f'(version 3.0; acl "All rights for anyone"; allow (add) '

+     aci_subject = f'userdn="ldap:///anyone";)'

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Perform add operation

+     users = UserAccounts(conn, DEFAULT_SUFFIX, rdn='ou=Accounting')

+     user = users.create_test_user(gid=3, uid=3)

+     assert user.exists()

+ 

+     users = UserAccounts(conn, DEFAULT_SUFFIX)

+     user = users.create_test_user(gid=3, uid=3)

+     assert user.exists()

+ 

+ 

+ def test_allow_delete_access_to_anyone(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to allow  delete access to anyone

+     :id: f5447c7e-68e1-11e8-84c4-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that allows groupdn  to delete some userdn

+         3. Delete  something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should  succeed

+         4. Delete operation for ACI should succeed

+     """

+     # set aci

+     aci_target = f'(targetattr="*")'

+     aci_allow = f'(version 3.0; acl "All rights for anyone"; allow (delete) '

+     aci_subject = f'userdn="ldap:///anyone";)'

+ 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Perform delete operation

+     UserAccount(conn, USER_DELADD).delete()

+ 

+ 

+ def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to  Allow delete access to != userdn

+     :id: 00637f6e-68e3-11e8-92a3-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that allows userdn  not to delete some userdn

+         3. Delete  something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should  not succeed

+         4. Delete operation for ACI should succeed

+     """

+     # set aci

+     aci_target = f'(targetattr="*")'

+     aci_allow = f'(version 3.0; acl "All rights for %s"; allow (delete) ' % USER_DELADD

+     aci_subject = f'userdn!="ldap:///{USER_WITH_ACI_DELADD}";)'

+ 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Perform delete operation

+     user = UserAccount(conn, USER_DELADD)

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         user.delete()

+ 

+ 

+ def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to Allow delete access to != groupdn

+     :id: f58fc8b0-68e5-11e8-9313-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that allows groupdn  not to delete some userdn

+         3. Delete  something using test USER_DELADD belong to test group

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should  not succeed

+         4. Delete operation for ACI should succeed

+     """

+     # Create group

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"})

+     group.add_member(USER_WITH_ACI_DELADD)

+ 

+     # set aci

+     aci_target = f'(targetattr="*")'

+     aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete)'

+     aci_subject = f'groupdn!="ldap:///{group.dn}";)'

+ 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+     user = UserAccount(conn, USER_DELADD)

+ 

+     # Perform delete operation

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         user.delete()

+ 

+ 

+ def test_allow_add_access_to_parent(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to Allow add privilege to parent

+     :id: 2dd7f624-68e7-11e8-8591-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that Allow add privilege to parent

+         3. Add something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should   succeed

+         4. Delete operation for ACI should succeed

+     """

+     # set aci

+     aci_target = f'(targetattr="*")'

+     aci_allow = f'(version 3.0; acl "All rights for parent"; allow (add) '

+     aci_subject = f'userdn="ldap:///parent";)'

+ 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Perform Allow add privilege to parent

+     users = UserAccounts(conn, DEFAULT_SUFFIX, rdn='uid=test_user_1000, ou=people')

+     user = users.create_test_user(gid=1, uid=1)

+     assert user.exists()

+ 

+     # Delete created user

+     UserAccounts(topo.standalone, DEFAULT_SUFFIX).get('test_user_1').delete()

+ 

+ 

+ def test_allow_delete_access_to_parent(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to  Allow delete access to parent

+     :id: 2dd7f624-68e7-11e8-8591-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that Allow delete privilege to parent

+         3. Delete something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should   succeed

+         4. Delete operation for ACI should succeed

+     """

+     # set aci

+     aci_target = f'(targetattr="*")'

+     aci_allow = f'(version 3.0; acl "All rights for parent"; allow (add,delete) '

+     aci_subject = f'userdn="ldap:///parent";)'

+ 

+     Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Create a user with parent 'uid=test_user_1000, ou=people, {}'.format(DEFAULT_SUFFIX)

+     users = UserAccounts(conn, DEFAULT_SUFFIX, rdn='uid=test_user_1000, ou=people')

+     new_user = users.create_test_user(gid=1, uid=1)

+     assert new_user.exists()

+ 

+     # Perform Allow delete access to parent

+     new_user.delete()

+ 

+ 

+ def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to  Allow delete access to dynamic group

+     :id: 14ffa452-68ed-11e8-a60d-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that Allow delete privilege to dynamic group

+         3. Delete something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should   succeed

+         4. Delete operation for ACI should succeed

+     """

+     # Create dynamic group

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"})

+ 

+     group.add("objectclass", "groupOfURLs")

+     group.add("memberURL",

+               f"ldap:///dc=example,dc=com??sub?(&(objectclass=person)(uid=test_user_1000))")

+ 

+     # Set ACI

+     Domain(topo.standalone, DEFAULT_SUFFIX).\

+         add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'

+                    f'(version 3.0; acl "$tet_thistest"; '

+                    f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Perform Allow delete access to dynamic group

+     UserAccount(conn, USER_DELADD).delete()

+ 

+ 

+ def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to  Allow delete access to dynamic group

+     :id: 14ffa452-68ed-11e8-a60d-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that Allow delete privilege to dynamic group

+         3. Delete something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should   succeed

+         4. Delete operation for ACI should succeed

+     """

+     # Create dynamic group

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"})

+ 

+     group.add("objectclass", "groupOfURLs")

+     group.add("memberURL",

+               f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))')

+ 

+     # Set ACI

+     Domain(topo.standalone, DEFAULT_SUFFIX).\

+         add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'

+                    f'(targetattr=uid)(version 3.0; acl "$tet_thistest"; '

+                    f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+ 

+     # Perform Allow delete access to dynamic group

+     UserAccount(conn, USER_DELADD).delete()

+ 

+ 

+ def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user):

+ 

+     """

+     Test to  Allow delete access to != dynamic group

+     :id: 14ffa452-68ed-11e8-a60d-8c16451d917b

+     :setup: server

+     :steps:

+         1. Add test entry

+         2. Add ACI that delete access to != dynamic group

+         3. Delete something using test USER_DELADD

+         4. Remove ACI

+     :expectedresults:

+         1. Entry should be added

+         2. ACI should be added

+         3. Operation should  not succeed

+         4. Delete operation for ACI should succeed

+     """

+     # Create dynamic group

+     groups = Groups(topo.standalone, DEFAULT_SUFFIX)

+     group = groups.create(properties={"cn": "group1",

+                                       "description": "testgroup"})

+     group.add("objectclass", "groupOfURLs")

+     group.add("memberURL",

+               f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))')

+ 

+     # Set ACI

+     Domain(topo.standalone, DEFAULT_SUFFIX).\

+         add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'

+                    f'(targetattr=*)(version 3.0; acl "$tet_thistest"; '

+                    f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')

+ 

+     # create connection with USER_WITH_ACI_DELADD

+     conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)

+     user = UserAccount(conn, USER_DELADD)

+ 

+     # Perform Allow delete access to != dynamic group

+     with pytest.raises(ldap.INSUFFICIENT_ACCESS):

+         user.delete()

+ 

+ 

+ if __name__ == "__main__":

+     CURRENT_FILE = os.path.realpath(__file__)

+     pytest.main("-s -v %s" % CURRENT_FILE)

Port ACI test suit from TET to python3(Delete and Add)

https://pagure.io/389-ds-base/issue/50112

Reviewed by: ???

use with pytest.raises instead of try except

rebased onto 4d4c74a687b87c75d5a0de1b1d73112dfc5b0537

4 years ago

@firstyear , changes are done , Please check

Why do you add ou: People attribute for the users?

Why do you add ou: People attribute for the users?

There is a dynamic group which has :

group.add("memberURL", f'ldap:///{DEFAULT_SUFFIX}??sub?(&(ou=People)(cn=test_user_1000))')

as by default if you create a user with user = users.create_test_user(uid=i, gid=i)

the dn will be 'uid=test_user_1000,ou=People,dc=example,dc=com' but no ou: 'People'

but dynamic group need ou: 'People '

Why do you add ou: People attribute for the users?

There is a dynamic group which has :
group.add("memberURL", f'ldap:///{DEFAULT_SUFFIX}??sub?(&(ou=People)(cn=test_user_1000))')
as by default if you create a user with user = users.create_test_user(uid=i, gid=i)
the dn will be 'uid=test_user_1000,ou=People,dc=example,dc=com' but no ou: 'People'
but dynamic group need ou: 'People '

It doesn't make sense... We don't create users with ou attribute. If you want to setup memberURL with the specific filter - use something like &(objectclass=person)(cn=test_user_1000))

You can use get() method here. First, create UserAccounts instance (without this rdn). And then get the user by selector (test_user_1000)

rebased onto b3772c5580fe5c9ebaa120a4edd2af7bdc074b74

4 years ago

@spichugi , changes are done , Please check

rebased onto 1cfd7584b2757af19eadbb3ed5e40537abbd6c43

4 years ago

It shouldn't be a docstring. It should be a commented text.

Please, go through --pylint output. There are a few issues left

You already have users object. Why not to use it here?

I think it will make more sense if you create a user (and assign it to user for delete operation). And then you can assert if the user is present (user.exists())

I think it will make more sense if you create a user (and assign it to user for delete operation). And then you can assert if the user is present (user.exists())

You cant do it as you only have add privilege to parents .

And UserAccounts(conn, DEFAULT_SUFFIX, rdn='uid=test_user_1000, ou=people') and UserAccounts(topo.standalone, DEFAULT_SUFFIX).get('test_user_1').delete() are different

see conn and topo.standalone

rebased onto d826d53052f08e9dc81f193eda05b703717048f0

4 years ago

@spichugi , changes are done , Please check

You cant do it as you only have add privilege to parents .
And UserAccounts(conn, DEFAULT_SUFFIX, rdn='uid=test_user_1000, ou=people') and UserAccounts(topo.standalone, DEFAULT_SUFFIX).get('test_user_1').delete() are different

Right. We can't use the same UserAccount instance for the delete operation.
But the rest in my comment is true. assert doesn't make sense here because if the user creation will fail it will through the exception anyway.
We should assert that the user exists().

see conn and topo.standalone !!

The imperative mood plus these two exclamation marks (after a space) can be misunderstood as a rude gesture (it sounds a bit like you are yelling at me).
Please, avoid such expressions in the project.

P.S. I understand that it wasn't, probably, your intention. But to be sure, please, use polite language forms. :)

rebased onto b673a77540f5218f5c402258c0e5ca8d39d6c4ba

4 years ago

rebased onto a6a53483afa7e421a693cab73299bbaf05b8b303

4 years ago

You cant do it as you only have add privilege to parents .
And UserAccounts(conn, DEFAULT_SUFFIX, rdn='uid=test_user_1000, ou=people') and UserAccounts(topo.standalone, DEFAULT_SUFFIX).get('test_user_1').delete() are different

Right. We can't use the same UserAccount instance for the delete operation.
But the rest in my comment is true. assert doesn't make sense here because if the user creation will fail it will through the exception anyway.
We should assert that the user exists().

see conn and topo.standalone !!

The imperative mood plus these two exclamation marks (after a space) can be misunderstood as a rude gesture (it sounds a bit like you are yelling at me).
Please, avoid such expressions in the project.
P.S. I understand that it wasn't, probably, your intention. But to be sure, please, use polite language forms. :)

Obviously it was not my intention , will keep in mind in future

@spichugi , changes are done , Please check

rebased onto af97382

4 years ago

Pull-Request has been merged by spichugi

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3378

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

3 years ago
Metadata