Issue: 50112 - Port ACI test suit from TET to python3(keyaci)

Port ACI test suit from TET to python3(keyaci)

https://pagure.io/389-ds-base/issue/50112

Reviewed by: Mark Reynolds, Simon Pichugin, William Brown, Viktor Ashirov

dirsrvtests/tests/suites/acl/conftest.py

@@ -0,0 +1,125 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2019 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ----
+
+"""
+This is the config file for keywords test scripts.
+
+"""
+
+import pytest
+
+from lib389._constants import DEFAULT_SUFFIX, PW_DM
+from lib389.idm.user import  UserAccounts
+from lib389.idm.organizationalunit import OrganizationalUnit, OrganizationalUnits
+from lib389.topologies import topology_st as topo
+from lib389.idm.domain import Domain
+
+
[email protected](scope="function")
+def aci_of_user(request, topo):
+    """
+    Removes and Restores ACIs after the test.
+    """
+    aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals_utf8('aci')
+
+    def finofaci():
+        """
+        Removes and Restores ACIs after the test.
+        """
+        domain = Domain(topo.standalone, DEFAULT_SUFFIX)
+        domain.remove_all('aci')
+        for aci in aci_list:
+            domain.add("aci", aci)
+
+    request.addfinalizer(finofaci)
+
+
[email protected](scope="module")
+def add_user(request, topo):
+    """
+    This function will create user for the test and in the end entries will be deleted .
+    """
+    ous_origin = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
+    ou_origin = ous_origin.create(properties={'ou': 'Keywords'})
+
+    ous_next = OrganizationalUnits(topo.standalone, ou_origin.dn)
+    for ou in ['Authmethod', 'Dayofweek', 'DNS', 'IP', 'Timeofday']:
+        ous_next.create(properties={'ou': ou})
+
+    users_day_of_week = UserAccounts(topo.standalone, f"ou=Dayofweek,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
+    for user in ['EVERYDAY_KEY', 'TODAY_KEY', 'NODAY_KEY']:
+        users_day_of_week.create(properties={
+            'uid': user,
+            'cn': user,
+            'sn': 'user',
+            'uidNumber': '1000',
+            'gidNumber': '2000',
+            'homeDirectory': '/home/' + user,
+            'userPassword': PW_DM
+        })
+
+    users_ip = UserAccounts(topo.standalone, f"ou=IP,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
+    for user in ['FULLIP_KEY', 'NETSCAPEIP_KEY', 'NOIP_KEY']:
+        users_ip.create(properties={
+            'uid': user,
+            'cn': user,
+            'sn': 'user',
+            'uidNumber': '1000',
+            'gidNumber': '2000',
+            'homeDirectory': '/home/' + user,
+            'userPassword': PW_DM
+        })
+
+    users_timeof_day = UserAccounts(topo.standalone, f"ou=Timeofday,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
+    for user in ['FULLWORKER_KEY', 'DAYWORKER_KEY', 'NOWORKER_KEY', 'NIGHTWORKER_KEY']:
+        users_timeof_day.create(properties={
+            'uid': user,
+            'cn': user,
+            'sn': 'user',
+            'uidNumber': '1000',
+            'gidNumber': '2000',
+            'homeDirectory': '/home/' + user,
+            'userPassword': PW_DM
+        })
+
+    users_authmethod = UserAccounts(topo.standalone, f"ou=Authmethod,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
+    for user in ['NONE_1_KEY', 'NONE_2_KEY', 'SIMPLE_1_KEY']:
+        users_authmethod.create(properties={
+            'uid': user,
+            'cn': user,
+            'sn': 'user',
+            'uidNumber': '1000',
+            'gidNumber': '2000',
+            'homeDirectory': '/home/' + user,
+            'userPassword': PW_DM
+        })
+
+    users_dns = UserAccounts(topo.standalone, f"ou=DNS,ou=Keywords,{DEFAULT_SUFFIX}", rdn=None)
+    for user in ['FULLDNS_KEY', 'SUNDNS_KEY', 'NODNS_KEY', 'NETSCAPEDNS_KEY']:
+        users_dns.create(properties={
+            'uid': user,
+            'cn': user,
+            'sn': 'user',
+            'uidNumber': '1000',
+            'gidNumber': '2000',
+            'homeDirectory': '/home/' + user,
+            'userPassword': PW_DM
+        })
+
+    def fin():
+        """
+        Deletes entries after the test.
+        """
+        for user in users_day_of_week.list() + users_ip.list() + users_timeof_day.list() + \
+                     users_authmethod.list() + users_dns.list():
+            user.delete()
+
+        for ou in sorted(ous_next.list(), key=lambda x: len(x.dn), reverse=True):
+            ou.delete()
+
+    request.addfinalizer(fin)

dirsrvtests/tests/suites/acl/keywords_part2_test.py

@@ -0,0 +1,386 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2019 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ----
+
+
+"""
+This test script will test wrong/correct key value with ACIs.
+"""
+
+import os
+import time
+from datetime import datetime
+import pytest
+
+from lib389._constants import DEFAULT_SUFFIX, PW_DM
+from lib389.idm.domain import Domain
+from lib389.idm.organizationalunit import OrganizationalUnit
+from lib389.idm.user import UserAccount
+
+import ldap
+
+
+KEYWORDS_OU_KEY = "ou=Keywords,{}".format(DEFAULT_SUFFIX)
+DAYOFWEEK_OU_KEY = "ou=Dayofweek,{}".format(KEYWORDS_OU_KEY)
+IP_OU_KEY = "ou=IP,{}".format(KEYWORDS_OU_KEY)
+TIMEOFDAY_OU_KEY = "ou=Timeofday,{}".format(KEYWORDS_OU_KEY)
+EVERYDAY_KEY = "uid=EVERYDAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
+TODAY_KEY = "uid=TODAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
+NODAY_KEY = "uid=NODAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
+FULLIP_KEY = "uid=FULLIP_KEY,{}".format(IP_OU_KEY)
+NETSCAPEIP_KEY = "uid=NETSCAPEIP_KEY,{}".format(IP_OU_KEY)
+NOIP_KEY = "uid=NOIP_KEY,{}".format(IP_OU_KEY)
+FULLWORKER_KEY = "uid=FULLWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
+DAYWORKER_KEY = "uid=DAYWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
+NIGHTWORKER_KEY = "uid=NIGHTWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
+NOWORKER_KEY = "uid=NOWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
+
+
+def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
+    """
+    User can access the data when connecting from certain network only as per the ACI.
+
+    :id:4ec38296-7ac5-11e8-9816-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Turn access log buffering off to make less time consuming
+    topo.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')
+
+    # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
+    # Wait till Access Log is generated
+    topo.standalone.restart()
+
+    ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
+
+    # Add ACI
+    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
+    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
+                      f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
+
+    # create a new connection for the test
+    conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, IP_OU_KEY)
+    org.replace("seeAlso", "cn=1")
+    # remove the aci
+    domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci '
+                                 f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
+                                 f'ip = "{ip_ip}" ;)')
+    # Now add aci with new ip
+    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
+                      f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)')
+
+    # After changing  the ip user cant access data
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
+    """
+    User cannot access the data when connectin from an unauthorized network as per the ACI.
+
+    :id:52d1ecce-7ac5-11e8-9ad9-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
+    ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
+    # Add ACI
+    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
+    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
+                      f'(targetattr=*)(version 3.0; aci "IP aci"; '
+                      f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
+                      f'and ip != "{ip_ip}" ;)')
+
+    # create a new connection for the test
+    conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, IP_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+    # Remove the ACI
+    domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
+    # Add new ACI
+    domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
+                      f'(version 3.0; aci "IP aci"; allow(all) '
+                      f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
+
+    # now user can access data
+    org.replace("seeAlso", "cn=1")
+
+
+def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
+    """
+    User NoIP cannot assess the data as per the ACI.
+
+    :id:570bc7f6-7ac5-11e8-88c1-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone,
+           DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
+                                      f'(targetattr=*)(version 3.0; aci "IP aci"; allow(all) '
+                                      f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, IP_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
+    """
+    User can access the data at any time as per the ACI.
+
+    :id:5b4da91a-7ac5-11e8-bbda-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone,
+           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
+                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                                      f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
+                                      f'(timeofday >= "0000" and timeofday <= "2359") ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
+    org.replace("seeAlso", "cn=1")
+
+
+def test_user_can_access_the_data_only_in_the_morning(topo, add_user, aci_of_user):
+    """
+    User can access the data only in the morning as per the ACI.
+
+    :id:5f7d380c-7ac5-11e8-8124-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone,
+           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
+                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                                      f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '
+                                      f'and timeofday < "1200" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, DAYWORKER_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
+    if datetime.now().hour >= 12:
+        with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+            org.replace("seeAlso", "cn=1")
+    else:
+        org.replace("seeAlso", "cn=1")
+
+
+def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user):
+    """
+    User can access the data only in the afternoon as per the ACI.
+
+    :id:63eb5b1c-7ac5-11e8-bd46-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone,
+           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
+                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                                      f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
+                                      f'and timeofday > \'1200\' ;)')
+
+    # create a new connection for the test
+    conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
+    if datetime.now().hour < 12:
+        with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+            org.replace("seeAlso", "cn=1")
+    else:
+        org.replace("seeAlso", "cn=1")
+
+
+def test_timeofday_keyword(topo, add_user, aci_of_user):
+    """
+    User NOWORKER_KEY can access the data as per the ACI after removing
+    ACI it cant.
+
+    :id:681dd58e-7ac5-11e8-bed1-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    now = time.strftime("%c")
+    now_1 = "".join(now.split()[3].split(":"))[:4]
+    # Add ACI
+    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
+    domain.add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
+                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
+                      f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
+                      f'and timeofday = \'{now_1}\' ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
+    org.replace("seeAlso", "cn=1")
+    # Remove ACI
+    aci = domain.get_attr_vals_utf8('aci')[-1]
+    domain.ensure_removed('aci', aci)
+    assert aci not in domain.get_attr_vals_utf8('aci')
+    # after removing the ACI user cannot access the data
+    time.sleep(1)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user):
+    """
+    User can access the data EVERYDAY_KEY as per the ACI.
+
+    :id:6c5922ca-7ac5-11e8-8f01-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone,
+           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
+                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
+                                      f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
+                                      f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
+    org.replace("seeAlso", "cn=1")
+
+
+def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
+    """
+    User can access the data one day per week as per the ACI.
+
+    :id:7131dc88-7ac5-11e8-acc2-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    today_1 = time.strftime("%c").split()[0]
+    # Add ACI
+    Domain(topo.standalone,
+           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
+                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
+                                      f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
+                                      f'and dayofweek = \'{today_1}\' ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
+    org.replace("seeAlso", "cn=1")
+
+
+def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
+    """
+    User cannot access the data at all as per the ACI.
+
+    :id:75cdac5e-7ac5-11e8-968a-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone,
+           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
+                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
+                                      f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
+                                      f'and dayofweek = "$NEW_DATE" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+if __name__ == "__main__":
+    CURRENT_FILE = os.path.realpath(__file__)
+    pytest.main("-s -v %s" % CURRENT_FILE)

dirsrvtests/tests/suites/acl/keywords_test.py

@@ -0,0 +1,462 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2019 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ----
+
+"""
+This test script will test wrong/correct key value with ACIs.
+"""
+
+import os
+import socket
+import pytest
+
+from lib389.idm.account import Anonymous
+from lib389._constants import DEFAULT_SUFFIX, PW_DM
+from lib389.idm.domain import Domain
+from lib389.idm.organizationalunit import OrganizationalUnit
+from lib389.idm.user import UserAccount
+
+import ldap
+
+
+KEYWORDS_OU_KEY = "ou=Keywords,{}".format(DEFAULT_SUFFIX)
+DNS_OU_KEY = "ou=DNS,{}".format(KEYWORDS_OU_KEY)
+IP_OU_KEY = "ou=IP,{}".format(KEYWORDS_OU_KEY)
+FULLIP_KEY = "uid=FULLIP_KEY,{}".format(IP_OU_KEY)
+AUTHMETHOD_OU_KEY = "ou=Authmethod,{}".format(KEYWORDS_OU_KEY)
+SIMPLE_1_KEY = "uid=SIMPLE_1_KEY,{}".format(AUTHMETHOD_OU_KEY)
+FULLDNS_KEY = "uid=FULLDNS_KEY,{}".format(DNS_OU_KEY)
+SUNDNS_KEY = "uid=SUNDNS_KEY,{}".format(DNS_OU_KEY)
+NODNS_KEY = "uid=NODNS_KEY,{}".format(DNS_OU_KEY)
+NETSCAPEDNS_KEY = "uid=NETSCAPEDNS_KEY,{}".format(DNS_OU_KEY)
+NONE_1_KEY = "uid=NONE_1_KEY,{}".format(AUTHMETHOD_OU_KEY)
+NONE_2_KEY = "uid=NONE_2_KEY,{}".format(AUTHMETHOD_OU_KEY)
+
+
+NONE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
+               f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
+               f'allow(all) userdn = "ldap:///{NONE_1_KEY}" and authmethod = "none" ;)'
+
+SIMPLE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
+                 f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
+                 f'allow(all) userdn = "ldap:///{SIMPLE_1_KEY}" and authmethod = "simple" ;)'
+
+
+def _add_aci(topo, name):
+    """
+    This function will add ACI to  DEFAULT_SUFFIX
+    """
+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", name)
+
+
+def test_user_binds_with_a_password_and_can_access_the_data(topo, add_user, aci_of_user):
+    """
+    User binds with a password and can access the data as per the ACI.
+
+    :id:f6c4b6f0-7ac4-11e8-a517-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    _add_aci(topo, NONE_ACI_KEY)
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NONE_1_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, AUTHMETHOD_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_user_binds_with_a_bad_password_and_cannot_access_the_data(topo, add_user, aci_of_user):
+    """
+    User binds with a BAD password and cannot access the data .
+
+    :id:0397744e-7ac5-11e8-bfb1-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # User binds with a bad password and cannot access the data
+    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
+        UserAccount(topo.standalone, NONE_1_KEY).bind("")
+
+
+def test_anonymous_user_cannot_access_the_data(topo, add_user, aci_of_user):
+    """
+    Anonymous user cannot access the data
+
+    :id:0821a55c-7ac5-11e8-b214-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    _add_aci(topo, NONE_ACI_KEY)
+
+    # Create a new connection for this test.
+    conn = Anonymous(topo.standalone).bind()
+    # Perform Operation
+    org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_authenticated_but_has_no_rigth_on_the_data(topo, add_user, aci_of_user):
+    """
+    User has a password. He is authenticated but has no rigth on the data.
+
+    :id:11be7ebe-7ac5-11e8-b754-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    _add_aci(topo, NONE_ACI_KEY)
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_the_bind_client_is_accessing_the_directory(topo, add_user, aci_of_user):
+    """
+     The bind rule is evaluated to be true if the client is accessing the directory as per the ACI.
+
+     :id:1715bfb2-7ac5-11e8-8f2c-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    _add_aci(topo, SIMPLE_ACI_KEY)
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, AUTHMETHOD_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_users_binds_with_a_password_and_can_access_the_data(
+        topo, add_user, aci_of_user):
+    """
+    User binds with a password and can access the data as per the ACI.
+
+    :id:1bd01cb4-7ac5-11e8-a2f1-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    _add_aci(topo, SIMPLE_ACI_KEY)
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, AUTHMETHOD_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_user_binds_without_any_password_and_cannot_access_the_data(topo, add_user, aci_of_user):
+    """
+    User binds without any password and cannot access the data
+
+    :id:205777fa-7ac5-11e8-ba2f-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    _add_aci(topo, SIMPLE_ACI_KEY)
+
+    # Create a new connection for this test.
+    conn = Anonymous(topo.standalone).bind()
+    # Perform Operation
+    org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_user_can_access_the_data_when_connecting_from_any_machine(
+        topo, add_user, aci_of_user
+):
+    """
+    User can access the data when connecting from any machine as per the ACI.
+
+    :id:28cbc008-7ac5-11e8-934e-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX)\
+        .add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
+                    f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                    f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, FULLDNS_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
+        topo, add_user, aci_of_user
+):
+    """
+    User can access the data when connecting from internal ICNC network only as per the ACI.
+    :id:2cac2136-7ac5-11e8-8328-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    dns_name = socket.getfqdn()
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX).\
+        add("aci", [f'(target = "ldap:///{DNS_OU_KEY}")'
+                    f'(targetattr=*)(version 3.0; aci "DNS aci"; '
+                    f'allow(all) userdn = "ldap:///{SUNDNS_KEY}" and dns = "*redhat.com" ;)',
+                    f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
+                    f'(version 3.0; aci "DNS aci"; allow(all) '
+                    f'userdn = "ldap:///{SUNDNS_KEY}" and dns = "{dns_name}" ;)'])
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, SUNDNS_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_user_can_access_the_data_when_connecting_from_some_network_only(
+        topo, add_user, aci_of_user
+):
+    """
+    User can access the data when connecting from some network only as per the ACI.
+
+    :id:3098512a-7ac5-11e8-af85-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    dns_name = socket.getfqdn()
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX)\
+        .add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
+                    f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                    f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
+                    f'and dns = "{dns_name}" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
+    """
+    User cannot access the data when connecting from an unauthorized network as per the ACI.
+
+    :id:34cf9726-7ac5-11e8-bc12-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX).\
+        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
+                   f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                   f'userdn = "ldap:///{NETSCAPEDNS_KEY}" and dns != "red.iplanet.com" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2(
+        topo, add_user, aci_of_user):
+    """
+    User cannot access the data when connecting from an unauthorized network as per the ACI.
+
+    :id:396bdd44-7ac5-11e8-8014-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX).\
+        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
+                   f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
+                   f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
+                   f'and dnsalias != "www.redhat.com" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
+
+
+def test_user_cannot_access_the_data_if_not_from_a_certain_domain(topo, add_user, aci_of_user):
+    """
+    User cannot access the data if not from a certain domain as per the ACI.
+    :id:3d658972-7ac5-11e8-930f-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX).\
+        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
+                   f'(version 3.0; aci "DNS aci"; allow(all) '
+                   f'userdn = "ldap:///{NODNS_KEY}" '
+                   f'and dns = "RAP.rock.SALSA.house.COM" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
+    """
+    Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
+
+    :id:41b467be-7ac5-11e8-89a3-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX).\
+        add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
+                   f'(version 3.0; aci "DNS aci"; allow(all) '
+                   f'userdn = "ldap:///{NODNS_KEY}" and '
+                   f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
+    # Perform Operation
+    org = OrganizationalUnit(conn, DNS_OU_KEY)
+    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
+        org.replace("seeAlso", "cn=1")
+
+
+def test_user_can_access_the_data_when_connecting_from_any_machine_2(topo, add_user, aci_of_user):
+    """
+    User can access the data when connecting from any machine as per the ACI.
+
+    :id:461e761e-7ac5-11e8-9ae4-8c16451d917b
+    :setup: Standalone Server
+    :steps:
+        1. Add test entry
+        2. Add ACI
+        3. User should follow ACI role
+    :expectedresults:
+        1. Entry should be added
+        2. Operation should  succeed
+        3. Operation should  succeed
+    """
+    # Add ACI
+    Domain(topo.standalone, DEFAULT_SUFFIX).\
+        add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr=*)'
+                   f'(version 3.0; aci "IP aci"; allow(all) '
+                   f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
+
+    # Create a new connection for this test.
+    conn = UserAccount(topo.standalone, FULLIP_KEY).bind(PW_DM)
+    # Perform Operation
+    OrganizationalUnit(conn, IP_OU_KEY).replace("seeAlso", "cn=1")
+
+
+if __name__ == "__main__":
+    CURRENT_FILE = os.path.realpath(__file__)
+    pytest.main("-s -v %s" % CURRENT_FILE)