Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299
							# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ----

import pytest, os, ldap
from lib389._constants import DEFAULT_SUFFIX, PW_DM
from lib389.idm.user import UserAccount
from lib389.idm.account import Anonymous
from lib389.idm.group import Group, UniqueGroup
from lib389.idm.organizationalunit import OrganizationalUnit, OrganizationalUnits
from lib389.topologies import topology_st as topo
from lib389.idm.domain import Domain

pytestmark = pytest.mark.tier1

CONTAINER_1_DELADD = "ou=Product Development,{}".format(DEFAULT_SUFFIX)
CONTAINER_2_DELADD = "ou=Accounting,{}".format(DEFAULT_SUFFIX)
USER_DELADD = "cn=Jeff Vedder,{}".format(CONTAINER_1_DELADD)
USER_WITH_ACI_DELADD = "cn=Sam Carter,{}".format(CONTAINER_2_DELADD)
DYNAMIC_MODRDN = "cn=Test DYNAMIC_MODRDN Group 70, {}".format(DEFAULT_SUFFIX)
SAM_DAMMY_MODRDN = "cn=Sam Carter1,ou=Accounting,{}".format(DEFAULT_SUFFIX)
TRAC340_MODRDN = "cn=TRAC340_MODRDN,{}".format(DEFAULT_SUFFIX)
NEWENTRY9_MODRDN = "cn=NEWENTRY9_MODRDN,{}".format("ou=People,{}".format(DEFAULT_SUFFIX))
OU0_OU_MODRDN = "ou=OU0,{}".format(DEFAULT_SUFFIX)
OU2_OU_MODRDN = "ou=OU2,{}".format(DEFAULT_SUFFIX)


@pytest.fixture(scope="function")
def aci_of_user(request, topo):
    aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')

    def finofaci():
        domain = Domain(topo.standalone, DEFAULT_SUFFIX)
        domain.set('aci', None)
        for i in aci_list:
            domain.add("aci", i)

    request.addfinalizer(finofaci)


@pytest.fixture(scope="function")
def _add_user(request, topo):
    ou = OrganizationalUnit(topo.standalone, 'ou=Product Development,{}'.format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'Product Development'})

    ou = OrganizationalUnit(topo.standalone, 'ou=Accounting,{}'.format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'Accounting'})

    groups = Group(topo.standalone, DYNAMIC_MODRDN)
    group_properties = {"cn": "Test DYNAMIC_MODRDN Group 70",
                        "objectclass": ["top", 'groupofURLs'],
                        'memberURL': 'ldap:///{}??base?(cn=*)'.format(USER_WITH_ACI_DELADD)}
    groups.create(properties=group_properties)

    properties = {
        'uid': 'Jeff Vedder',
        'cn': 'Jeff Vedder',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'JeffVedder',
        'userPassword': PW_DM
    }
    user = UserAccount(topo.standalone, 'cn=Jeff Vedder,ou=Product Development,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    properties = {
        'uid': 'Sam Carter',
        'cn': 'Sam Carter',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'SamCarter',
        'userPassword': PW_DM
    }
    user = UserAccount(topo.standalone, 'cn=Sam Carter,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)

    def fin():
        for DN in [USER_DELADD,USER_WITH_ACI_DELADD,DYNAMIC_MODRDN,CONTAINER_2_DELADD,CONTAINER_1_DELADD]:
            UserAccount(topo.standalone, DN).delete()

    request.addfinalizer(fin)


def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user):
    """
    Modrdn Test 1 Allow write privilege to anyone
    :id: 4406f12e-7932-11e8-9dea-8c16451d917b
    :setup: server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",
        '(target ="ldap:///{}")(targetattr=*)(version 3.0;acl "$tet_thistest";allow '
        '(write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX))
    conn = Anonymous(topo.standalone).bind()
    # Allow write privilege to anyone
    useraccount = UserAccount(conn, USER_WITH_ACI_DELADD)
    useraccount.rename("cn=Jeff Vedder")
    assert 'cn=Jeff Vedder,ou=Accounting,dc=example,dc=com' == useraccount.dn
    useraccount = UserAccount(conn, "cn=Jeff Vedder,ou=Accounting,dc=example,dc=com")
    useraccount.rename("cn=Sam Carter")
    assert 'cn=Sam Carter,ou=Accounting,dc=example,dc=com' == useraccount.dn


def test_allow_write_privilege_to_dynamic_group_with_scope_set_to_base_in_ldap_url(
    topo, _add_user, aci_of_user
):
    """
        Modrdn Test 2 Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
        :id: 4c0f8c00-7932-11e8-8398-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Add ACI
            3. User should follow ACI role
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr=*)(version 3.0; acl "$tet_thistest"; allow(all)(groupdn = "ldap:///{}"); )'.format(DEFAULT_SUFFIX, DYNAMIC_MODRDN))
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    # Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
    useraccount = UserAccount(conn, USER_DELADD)
    useraccount.rename("cn=Jeffbo Vedder")
    assert 'cn=Jeffbo Vedder,ou=Product Development,dc=example,dc=com' == useraccount.dn
    useraccount = UserAccount(conn, "cn=Jeffbo Vedder,{}".format(CONTAINER_1_DELADD))
    useraccount.rename("cn=Jeff Vedder")
    assert 'cn=Jeff Vedder,ou=Product Development,dc=example,dc=com' == useraccount.dn


def test_write_access_to_naming_atributes(topo, _add_user, aci_of_user):
    """
        Test for write access to naming atributes (1)
        Test that check for add writes to the new naming attr
        :id: 532fc630-7932-11e8-8924-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Add ACI
            3. User should follow ACI role
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "$tet_thistest";allow (write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX))
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    #Test for write access to naming atributes
    useraccount = UserAccount(conn, USER_WITH_ACI_DELADD)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        useraccount.rename("uid=Jeffbo Vedder")
    

def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user):
    """
        Test for write access to naming atributes (2)
        :id: 5a2077d2-7932-11e8-9e7b-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Add ACI
            3. User should follow ACI role
            4. Now try to modrdn it to cn, won't work if request deleteoldrdn.
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
            4. Operation should  not succeed
    """
    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "$tet_thistest";allow (write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX))
    properties = {
        'uid': 'Sam Carter1',
        'cn': 'Sam Carter1',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'SamCarter1'
    }
    user = UserAccount(topo.standalone, 'cn=Sam Carter1,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)
    user.set("userPassword", "password")
    conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
    # Test for write access to naming atributes
    useraccount = UserAccount(conn, SAM_DAMMY_MODRDN)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        useraccount.rename("uid=Jeffbo Vedder")
    UserAccount(topo.standalone, SAM_DAMMY_MODRDN).delete()


@pytest.mark.bz950351
def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user):
    """
        Testing bug #950351:  RHDS denies MODRDN access if ACI list contains any DENY rule
        Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour
         as you cannot rename the entry anymore
        :id: 62cbbb8a-7932-11e8-96a7-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Adding a new ou ou=People to $BASEDN
            3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN
            4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
            4. Operation should  succeed
    """
    properties = {
        'uid': 'NEWENTRY9_MODRDN',
        'cn': 'NEWENTRY9_MODRDN_People',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'NEWENTRY9_MODRDN'
    }
    user = UserAccount(topo.standalone, 'cn=NEWENTRY9_MODRDN,ou=People,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)
    user.set("userPassword", "password")
    user.set("telephoneNumber", "989898191")
    user.set("mail", "[email protected]")
    user.set("givenName", "givenName")
    user.set("uid", "NEWENTRY9_MODRDN")
    OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('People').add("aci", ['(targetattr = "*") '
        '(version 3.0;acl "admin";allow (all)(userdn = "ldap:///{}");)'.format(NEWENTRY9_MODRDN),
        '(targetattr = "mail") (version 3.0;acl "deny_mail";deny (write)(userdn = "ldap:///anyone");)',
        '(targetattr = "uid") (version 3.0;acl "allow uid";allow (write)(userdn = "ldap:///{}");)'.format(NEWENTRY9_MODRDN)])
    UserAccount(topo.standalone, NEWENTRY9_MODRDN).replace("userpassword", "Anuj")
    useraccount = UserAccount(topo.standalone, NEWENTRY9_MODRDN)
    useraccount.rename("uid=newrdnchnged")
    assert 'uid=newrdnchnged,ou=People,dc=example,dc=com' == useraccount.dn


def test_renaming_target_entry(topo, _add_user, aci_of_user):
    """
        Test for renaming target entry
        :id: 6be1d33a-7932-11e8-9115-8c16451d917b
        :setup: server
        :steps:
            1. Add test entry
            2. Create a test user entry
            3.Create a new ou entry with an aci
            4. Make sure uid=$MYUID has the access
            5. Rename ou=OU0 to ou=OU1
            6. Create another ou=OU2
            7. Move ou=OU1 under ou=OU2
            8. Make sure uid=$MYUID still has the access
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
            4. Operation should  succeed
            5. Operation should  succeed
            6. Operation should  succeed
            7. Operation should  succeed
            8. Operation should  succeed
    """
    properties = {
        'uid': 'TRAC340_MODRDN',
        'cn': 'TRAC340_MODRDN',
        'sn': 'user',
        'uidNumber': '1000',
        'gidNumber': '2000',
        'homeDirectory': '/home/' + 'TRAC340_MODRDN'
    }
    user = UserAccount(topo.standalone, 'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX))
    user.create(properties=properties)
    user.set("userPassword", "password")
    ou = OrganizationalUnit(topo.standalone, 'ou=OU0,{}'.format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'OU0'})
    ou.set('aci', '(targetattr=*)(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'.format(TRAC340_MODRDN))
    conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
    assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
    # Test for renaming target entry
    OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU0').rename("ou=OU1")
    assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
    ou = OrganizationalUnit(topo.standalone, 'ou=OU2,{}'.format(DEFAULT_SUFFIX))
    ou.create(properties={'ou': 'OU2'})
    # Test for renaming target entry
    OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename("ou=OU1", newsuperior=OU2_OU_MODRDN)
    assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')


if __name__ == "__main__":
    CURRENT_FILE = os.path.realpath(__file__)
    pytest.main("-s -v %s" % CURRENT_FILE)