| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 |
- # --- BEGIN COPYRIGHT BLOCK ---
- # Copyright (C) 2016 Red Hat, Inc.
- # All rights reserved.
- #
- # License: GPL (version 3 or any later version).
- # See LICENSE for details.
- # --- END COPYRIGHT BLOCK ---
- #
- import pytest
- from lib389.tasks import *
- from lib389.utils import *
- from lib389.topologies import topology_st
- logging.getLogger(__name__).setLevel(logging.DEBUG)
- log = logging.getLogger(__name__)
- CONTAINER_1_OU = 'test_ou_1'
- CONTAINER_2_OU = 'test_ou_2'
- CONTAINER_1 = 'ou=%s,dc=example,dc=com' % CONTAINER_1_OU
- CONTAINER_2 = 'ou=%s,dc=example,dc=com' % CONTAINER_2_OU
- USER_CN = 'test_user'
- USER_PWD = 'Secret123'
- USER = 'cn=%s,%s' % (USER_CN, CONTAINER_1)
- @pytest.fixture(scope="module")
- def env_setup(topology_st):
- """Adds two containers, one user and two ACI rules"""
- try:
- log.info("Add a container: %s" % CONTAINER_1)
- topology_st.standalone.add_s(Entry((CONTAINER_1,
- {'objectclass': 'top',
- 'objectclass': 'organizationalunit',
- 'ou': CONTAINER_1_OU,
- })))
- log.info("Add a container: %s" % CONTAINER_2)
- topology_st.standalone.add_s(Entry((CONTAINER_2,
- {'objectclass': 'top',
- 'objectclass': 'organizationalunit',
- 'ou': CONTAINER_2_OU,
- })))
- log.info("Add a user: %s" % USER)
- topology_st.standalone.add_s(Entry((USER,
- {'objectclass': 'top person'.split(),
- 'cn': USER_CN,
- 'sn': USER_CN,
- 'userpassword': USER_PWD
- })))
- except ldap.LDAPError as e:
- log.error('Failed to add object to database: %s' % e.message['desc'])
- assert False
- ACI_TARGET = '(targetattr="*")'
- ACI_ALLOW = '(version 3.0; acl "All rights for %s"; allow (all) ' % USER
- ACI_SUBJECT = 'userdn="ldap:///%s";)' % USER
- ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
- mod = [(ldap.MOD_ADD, 'aci', ACI_BODY)]
- try:
- log.info("Add an ACI 'allow (all)' by %s to the %s" % (USER,
- CONTAINER_1))
- topology_st.standalone.modify_s(CONTAINER_1, mod)
- log.info("Add an ACI 'allow (all)' by %s to the %s" % (USER,
- CONTAINER_2))
- topology_st.standalone.modify_s(CONTAINER_2, mod)
- except ldap.LDAPError as e:
- log.fatal('Failed to add ACI: error (%s)' % (e.message['desc']))
- assert False
- def test_ticket47553(topology_st, env_setup):
- """Tests, that MODRDN operation is allowed,
- if user has ACI right '(all)' under superior entries,
- but doesn't have '(modrdn)'
- """
- log.info("Bind as %s" % USER)
- try:
- topology_st.standalone.simple_bind_s(USER, USER_PWD)
- except ldap.LDAPError as e:
- log.error('Bind failed for %s, error %s' % (USER, e.message['desc']))
- assert False
- log.info("User MODRDN operation from %s to %s" % (CONTAINER_1,
- CONTAINER_2))
- try:
- topology_st.standalone.rename_s(USER, "cn=%s" % USER_CN,
- newsuperior=CONTAINER_2, delold=1)
- except ldap.LDAPError as e:
- log.error('MODRDN failed for %s, error %s' % (USER, e.message['desc']))
- assert False
- try:
- log.info("Check there is no user in %s" % CONTAINER_1)
- entries = topology_st.standalone.search_s(CONTAINER_1,
- ldap.SCOPE_ONELEVEL,
- 'cn=%s' % USER_CN)
- assert not entries
- log.info("Check there is our user in %s" % CONTAINER_2)
- entries = topology_st.standalone.search_s(CONTAINER_2,
- ldap.SCOPE_ONELEVEL,
- 'cn=%s' % USER_CN)
- assert entries
- except ldap.LDAPError as e:
- log.fatal('Search failed, error: ' + e.message['desc'])
- assert False
- if __name__ == '__main__':
- # Run isolated
- # -s for DEBUG mode
- # -v for additional verbose
- CURRENT_FILE = os.path.realpath(__file__)
- pytest.main("-s -v %s" % CURRENT_FILE)
|
