|
 |
dc8c34 |
From 0fff8ab61405b17463112e60f8a08ac39e5d563d Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: William Brown <firstyear@redhat.com>
|
|
|
dc8c34 |
Date: Tue, 21 Jun 2016 11:11:52 +1000
|
|
|
dc8c34 |
Subject: [PATCH 389/390] Ticket 48354 - Review of default ACI in the directory
|
|
|
dc8c34 |
server
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Bug Description: By default we provide a default ACI that allows reading of the
|
|
|
dc8c34 |
default ACI
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Fix Description: Change the default, and add a test to detect regresion of this.
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/48354
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Author: wibrown
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Review by: nhosoi (Thanks!)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
(cherry picked from commit 3c2cd48b7d2cb0579f7de6d460bcd0c9bb1157bd)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
dirsrvtests/tests/tickets/ticket48354_test.py | 109 ++++++++++++++++++++++++++
|
|
|
dc8c34 |
ldap/ldif/template-baseacis.ldif.in | 2 +-
|
|
|
dc8c34 |
2 files changed, 110 insertions(+), 1 deletion(-)
|
|
|
dc8c34 |
create mode 100644 dirsrvtests/tests/tickets/ticket48354_test.py
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/dirsrvtests/tests/tickets/ticket48354_test.py b/dirsrvtests/tests/tickets/ticket48354_test.py
|
|
|
dc8c34 |
new file mode 100644
|
|
|
dc8c34 |
index 0000000..53e1316
|
|
|
dc8c34 |
--- /dev/null
|
|
|
dc8c34 |
+++ b/dirsrvtests/tests/tickets/ticket48354_test.py
|
|
|
dc8c34 |
@@ -0,0 +1,109 @@
|
|
|
dc8c34 |
+import os
|
|
|
dc8c34 |
+import sys
|
|
|
dc8c34 |
+import time
|
|
|
dc8c34 |
+import ldap
|
|
|
dc8c34 |
+import logging
|
|
|
dc8c34 |
+import pytest
|
|
|
dc8c34 |
+from lib389 import DirSrv, Entry, tools, tasks
|
|
|
dc8c34 |
+from lib389.tools import DirSrvTools
|
|
|
dc8c34 |
+from lib389._constants import *
|
|
|
dc8c34 |
+from lib389.properties import *
|
|
|
dc8c34 |
+from lib389.tasks import *
|
|
|
dc8c34 |
+from lib389.utils import *
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+DEBUGGING = False
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+if DEBUGGING:
|
|
|
dc8c34 |
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
dc8c34 |
+else:
|
|
|
dc8c34 |
+ logging.getLogger(__name__).setLevel(logging.INFO)
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+log = logging.getLogger(__name__)
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+class TopologyStandalone(object):
|
|
|
dc8c34 |
+ """The DS Topology Class"""
|
|
|
dc8c34 |
+ def __init__(self, standalone):
|
|
|
dc8c34 |
+ """Init"""
|
|
|
dc8c34 |
+ standalone.open()
|
|
|
dc8c34 |
+ self.standalone = standalone
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+@pytest.fixture(scope="module")
|
|
|
dc8c34 |
+def topology(request):
|
|
|
dc8c34 |
+ """Create DS Deployment"""
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ # Creating standalone instance ...
|
|
|
dc8c34 |
+ if DEBUGGING:
|
|
|
dc8c34 |
+ standalone = DirSrv(verbose=True)
|
|
|
dc8c34 |
+ else:
|
|
|
dc8c34 |
+ standalone = DirSrv(verbose=False)
|
|
|
dc8c34 |
+ args_instance[SER_HOST] = HOST_STANDALONE
|
|
|
dc8c34 |
+ args_instance[SER_PORT] = PORT_STANDALONE
|
|
|
dc8c34 |
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
|
|
|
dc8c34 |
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
|
|
|
dc8c34 |
+ args_standalone = args_instance.copy()
|
|
|
dc8c34 |
+ standalone.allocate(args_standalone)
|
|
|
dc8c34 |
+ instance_standalone = standalone.exists()
|
|
|
dc8c34 |
+ if instance_standalone:
|
|
|
dc8c34 |
+ standalone.delete()
|
|
|
dc8c34 |
+ standalone.create()
|
|
|
dc8c34 |
+ standalone.open()
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ def fin():
|
|
|
dc8c34 |
+ """If we are debugging just stop the instances, otherwise remove
|
|
|
dc8c34 |
+ them
|
|
|
dc8c34 |
+ """
|
|
|
dc8c34 |
+ if DEBUGGING:
|
|
|
dc8c34 |
+ standalone.stop(60)
|
|
|
dc8c34 |
+ else:
|
|
|
dc8c34 |
+ standalone.delete()
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ request.addfinalizer(fin)
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ # Clear out the tmp dir
|
|
|
dc8c34 |
+ standalone.clearTmpDir(__file__)
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ return TopologyStandalone(standalone)
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+def _attr_present(conn, name):
|
|
|
dc8c34 |
+ results = conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(%s=*)' % name, [name,])
|
|
|
dc8c34 |
+ if DEBUGGING:
|
|
|
dc8c34 |
+ print(results)
|
|
|
dc8c34 |
+ if len(results) > 0:
|
|
|
dc8c34 |
+ return True
|
|
|
dc8c34 |
+ return False
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+def test_ticket48354(topology):
|
|
|
dc8c34 |
+ """
|
|
|
dc8c34 |
+ Test that we cannot view ACIs, userPassword, or certain other attributes as anonymous.
|
|
|
dc8c34 |
+ """
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ if DEBUGGING:
|
|
|
dc8c34 |
+ # Add debugging steps(if any)...
|
|
|
dc8c34 |
+ pass
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ # Do an anonymous bind
|
|
|
dc8c34 |
+ conn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
|
|
|
dc8c34 |
+ conn.simple_bind_s()
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ # Make sure that we cannot see:
|
|
|
dc8c34 |
+ # * userPassword
|
|
|
dc8c34 |
+ assert(not _attr_present(conn, 'userPassword'))
|
|
|
dc8c34 |
+ # * aci
|
|
|
dc8c34 |
+ assert(not _attr_present(conn, 'aci'))
|
|
|
dc8c34 |
+ # * anything else?
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ conn.unbind_s()
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ log.info('Test PASSED')
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+if __name__ == '__main__':
|
|
|
dc8c34 |
+ # Run isolated
|
|
|
dc8c34 |
+ # -s for DEBUG mode
|
|
|
dc8c34 |
+ CURRENT_FILE = os.path.realpath(__file__)
|
|
|
dc8c34 |
+ pytest.main("-s %s" % CURRENT_FILE)
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
diff --git a/ldap/ldif/template-baseacis.ldif.in b/ldap/ldif/template-baseacis.ldif.in
|
|
|
dc8c34 |
index 089fb1f..4575921 100644
|
|
|
dc8c34 |
--- a/ldap/ldif/template-baseacis.ldif.in
|
|
|
dc8c34 |
+++ b/ldap/ldif/template-baseacis.ldif.in
|
|
|
dc8c34 |
@@ -1,5 +1,5 @@
|
|
|
dc8c34 |
dn: %ds_suffix%
|
|
|
dc8c34 |
changetype: modify
|
|
|
dc8c34 |
add: aci
|
|
|
dc8c34 |
-aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
|
|
|
dc8c34 |
+aci: (targetattr!="userPassword || aci")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
|
|
|
dc8c34 |
aci: (targetattr="carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
2.4.11
|
|
|
dc8c34 |
|