Apq
/
389-ds-base
дзеркало https://github.com/389ds/389-ds-base.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388
							# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ----


"""
This test script will test wrong/correct key value with ACIs.
"""

import os
import time
from datetime import datetime
import pytest

from lib389._constants import DEFAULT_SUFFIX, PW_DM
from lib389.idm.domain import Domain
from lib389.idm.organizationalunit import OrganizationalUnit
from lib389.idm.user import UserAccount

import ldap

pytestmark = pytest.mark.tier1


KEYWORDS_OU_KEY = "ou=Keywords,{}".format(DEFAULT_SUFFIX)
DAYOFWEEK_OU_KEY = "ou=Dayofweek,{}".format(KEYWORDS_OU_KEY)
IP_OU_KEY = "ou=IP,{}".format(KEYWORDS_OU_KEY)
TIMEOFDAY_OU_KEY = "ou=Timeofday,{}".format(KEYWORDS_OU_KEY)
EVERYDAY_KEY = "uid=EVERYDAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
TODAY_KEY = "uid=TODAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
NODAY_KEY = "uid=NODAY_KEY,{}".format(DAYOFWEEK_OU_KEY)
FULLIP_KEY = "uid=FULLIP_KEY,{}".format(IP_OU_KEY)
NETSCAPEIP_KEY = "uid=NETSCAPEIP_KEY,{}".format(IP_OU_KEY)
NOIP_KEY = "uid=NOIP_KEY,{}".format(IP_OU_KEY)
FULLWORKER_KEY = "uid=FULLWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
DAYWORKER_KEY = "uid=DAYWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
NIGHTWORKER_KEY = "uid=NIGHTWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)
NOWORKER_KEY = "uid=NOWORKER_KEY,{}".format(TIMEOFDAY_OU_KEY)


def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
    """
    User can access the data when connecting from certain network only as per the ACI.

    :id: 4ec38296-7ac5-11e8-9816-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Turn access log buffering off to make less time consuming
    topo.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')

    # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
    # Wait till Access Log is generated
    topo.standalone.restart()

    ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]

    # Add ACI
    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
                      f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')

    # create a new connection for the test
    conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, IP_OU_KEY)
    org.replace("seeAlso", "cn=1")
    # remove the aci
    domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci '
                                 f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
                                 f'ip = "{ip_ip}" ;)')
    # Now add aci with new ip
    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
                      f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)')

    # After changing  the ip user cant access data
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        org.replace("seeAlso", "cn=1")


def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
    """
    User cannot access the data when connectin from an unauthorized network as per the ACI.

    :id: 52d1ecce-7ac5-11e8-9ad9-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
    ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
    # Add ACI
    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
                      f'(targetattr=*)(version 3.0; aci "IP aci"; '
                      f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
                      f'and ip != "{ip_ip}" ;)')

    # create a new connection for the test
    conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, IP_OU_KEY)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        org.replace("seeAlso", "cn=1")
    # Remove the ACI
    domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
    # Add new ACI
    domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
                      f'(version 3.0; aci "IP aci"; allow(all) '
                      f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')

    # now user can access data
    org.replace("seeAlso", "cn=1")


def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
    """
    User NoIP cannot assess the data as per the ACI.

    :id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Add ACI
    Domain(topo.standalone,
           DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
                                      f'(targetattr=*)(version 3.0; aci "IP aci"; allow(all) '
                                      f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')

    # Create a new connection for this test.
    conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, IP_OU_KEY)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        org.replace("seeAlso", "cn=1")


def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
    """
    User can access the data at any time as per the ACI.

    :id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Add ACI
    Domain(topo.standalone,
           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
                                      f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
                                      f'(timeofday >= "0000" and timeofday <= "2359") ;)')

    # Create a new connection for this test.
    conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
    org.replace("seeAlso", "cn=1")


def test_user_can_access_the_data_only_in_the_morning(topo, add_user, aci_of_user):
    """
    User can access the data only in the morning as per the ACI.

    :id: 5f7d380c-7ac5-11e8-8124-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Add ACI
    Domain(topo.standalone,
           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
                                      f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '
                                      f'and timeofday < "1200" ;)')

    # Create a new connection for this test.
    conn = UserAccount(topo.standalone, DAYWORKER_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
    if datetime.now().hour >= 12:
        with pytest.raises(ldap.INSUFFICIENT_ACCESS):
            org.replace("seeAlso", "cn=1")
    else:
        org.replace("seeAlso", "cn=1")


def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_user):
    """
    User can access the data only in the afternoon as per the ACI.

    :id: 63eb5b1c-7ac5-11e8-bd46-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Add ACI
    Domain(topo.standalone,
           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
                                      f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
                                      f'and timeofday > \'1200\' ;)')

    # create a new connection for the test
    conn = UserAccount(topo.standalone, NIGHTWORKER_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
    if datetime.now().hour < 12:
        with pytest.raises(ldap.INSUFFICIENT_ACCESS):
            org.replace("seeAlso", "cn=1")
    else:
        org.replace("seeAlso", "cn=1")


def test_timeofday_keyword(topo, add_user, aci_of_user):
    """
    User NOWORKER_KEY can access the data as per the ACI after removing
    ACI it cant.

    :id: 681dd58e-7ac5-11e8-bed1-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    now = time.strftime("%c")
    now_1 = "".join(now.split()[3].split(":"))[:4]
    # Add ACI
    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
    domain.add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
                      f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
                      f'and timeofday = \'{now_1}\' ;)')

    # Create a new connection for this test.
    conn = UserAccount(topo.standalone, NOWORKER_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
    org.replace("seeAlso", "cn=1")
    # Remove ACI
    aci = domain.get_attr_vals_utf8('aci')[-1]
    domain.ensure_removed('aci', aci)
    assert aci not in domain.get_attr_vals_utf8('aci')
    # after removing the ACI user cannot access the data
    time.sleep(1)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        org.replace("seeAlso", "cn=1")


def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user):
    """
    User can access the data EVERYDAY_KEY as per the ACI.

    :id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Add ACI
    Domain(topo.standalone,
           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
                                      f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
                                      f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')

    # Create a new connection for this test.
    conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
    org.replace("seeAlso", "cn=1")


def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
    """
    User can access the data one day per week as per the ACI.

    :id: 7131dc88-7ac5-11e8-acc2-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    today_1 = time.strftime("%c").split()[0]
    # Add ACI
    Domain(topo.standalone,
           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
                                      f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
                                      f'and dayofweek = \'{today_1}\' ;)')

    # Create a new connection for this test.
    conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
    org.replace("seeAlso", "cn=1")


def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
    """
    User cannot access the data at all as per the ACI.

    :id: 75cdac5e-7ac5-11e8-968a-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Add ACI
    Domain(topo.standalone,
           DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
                                      f'(targetattr=*)(version 3.0; aci "Dayofweek aci";  '
                                      f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
                                      f'and dayofweek = "$NEW_DATE" ;)')

    # Create a new connection for this test.
    conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        org.replace("seeAlso", "cn=1")


if __name__ == "__main__":
    CURRENT_FILE = os.path.realpath(__file__)
    pytest.main("-s -v %s" % CURRENT_FILE)