|
 |
be9751 |
From 0f309fee0e2b337ee333d9ce80a6c64d6f7161ef Mon Sep 17 00:00:00 2001
|
|
|
be9751 |
From: Viktor Ashirov <vashirov@redhat.com>
|
|
|
be9751 |
Date: Thu, 12 Nov 2020 17:53:09 +0100
|
|
|
be9751 |
Subject: [PATCH] Backport tests from master branch, fix failing tests (#4425)
|
|
|
be9751 |
|
|
|
be9751 |
Relates: #2820
|
|
|
be9751 |
|
|
|
be9751 |
Reviewed by: mreynolds (Thanks!)
|
|
|
be9751 |
---
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/acivattr_test.py | 50 +--
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/acl_deny_test.py | 10 +-
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/acl_test.py | 26 +-
|
|
|
be9751 |
.../acl/default_aci_allows_self_write.py | 4 +-
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/deladd_test.py | 54 ++--
|
|
|
be9751 |
.../suites/acl/enhanced_aci_modrnd_test.py | 22 +-
|
|
|
be9751 |
.../suites/acl/globalgroup_part2_test.py | 36 ++-
|
|
|
be9751 |
.../tests/suites/acl/globalgroup_test.py | 16 +-
|
|
|
be9751 |
.../tests/suites/acl/keywords_part2_test.py | 30 +-
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/keywords_test.py | 71 ++---
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/misc_test.py | 104 +++---
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/modrdn_test.py | 180 +++++------
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/roledn_test.py | 4 +-
|
|
|
be9751 |
.../suites/acl/selfdn_permissions_test.py | 23 +-
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/syntax_test.py | 56 ++--
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/userattr_test.py | 6 +-
|
|
|
be9751 |
.../tests/suites/acl/valueacl_part2_test.py | 107 ++++---
|
|
|
be9751 |
dirsrvtests/tests/suites/acl/valueacl_test.py | 207 ++++++------
|
|
|
be9751 |
dirsrvtests/tests/suites/basic/basic_test.py | 23 +-
|
|
|
be9751 |
.../tests/suites/ds_logs/ds_logs_test.py | 301 ++++++++++++++----
|
|
|
be9751 |
.../filter/rfc3673_all_oper_attrs_test.py | 23 +-
|
|
|
be9751 |
.../suites/mapping_tree/acceptance_test.py | 65 ++++
|
|
|
be9751 |
.../be_del_and_default_naming_attr_test.py | 17 +-
|
|
|
be9751 |
.../password/pwdPolicy_attribute_test.py | 9 +-
|
|
|
be9751 |
.../suites/replication/changelog_test.py | 6 +-
|
|
|
be9751 |
.../replication/conflict_resolve_test.py | 4 +-
|
|
|
be9751 |
.../tests/suites/replication/rfc2307compat.py | 174 ++++++++++
|
|
|
be9751 |
dirsrvtests/tests/suites/roles/__init__.py | 3 +
|
|
|
be9751 |
dirsrvtests/tests/suites/roles/basic_test.py | 83 ++---
|
|
|
be9751 |
.../tests/suites/sasl/regression_test.py | 21 +-
|
|
|
be9751 |
.../tests/suites/syncrepl_plugin/__init__.py | 163 ++++++++++
|
|
|
be9751 |
.../suites/syncrepl_plugin/basic_test.py | 66 ++--
|
|
|
be9751 |
.../tests/suites/vlv/regression_test.py | 2 +-
|
|
|
be9751 |
33 files changed, 1319 insertions(+), 647 deletions(-)
|
|
|
be9751 |
create mode 100644 dirsrvtests/tests/suites/mapping_tree/acceptance_test.py
|
|
|
be9751 |
create mode 100644 dirsrvtests/tests/suites/replication/rfc2307compat.py
|
|
|
be9751 |
create mode 100644 dirsrvtests/tests/suites/roles/__init__.py
|
|
|
be9751 |
create mode 100644 dirsrvtests/tests/suites/syncrepl_plugin/__init__.py
|
|
|
be9751 |
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/acivattr_test.py b/dirsrvtests/tests/suites/acl/acivattr_test.py
|
|
|
be9751 |
index 35759f36e..d55eea023 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/acivattr_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/acivattr_test.py
|
|
|
be9751 |
@@ -174,18 +174,19 @@ LDAPURL_ACI = '(targetattr="*")(version 3.0; acl "url"; allow (all) userdn="ldap
|
|
|
be9751 |
'(ENG_USER, ENG_MANAGER, LDAPURL_ACI)',
|
|
|
be9751 |
])
|
|
|
be9751 |
def test_positive(topo, _add_user, aci_of_user, user, entry, aci):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- :id: ba6d5e9c-786b-11e8-860d-8c16451d917b
|
|
|
be9751 |
- :parametrized: yes
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. ACI role should be followed
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
+ """Positive testing of ACLs
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: ba6d5e9c-786b-11e8-860d-8c16451d917b
|
|
|
be9751 |
+ :parametrized: yes
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. ACI role should be followed
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
# set aci
|
|
|
be9751 |
Domain(topo.standalone, DNBASE).set("aci", aci)
|
|
|
be9751 |
@@ -225,18 +226,19 @@ def test_positive(topo, _add_user, aci_of_user, user, entry, aci):
|
|
|
be9751 |
|
|
|
be9751 |
])
|
|
|
be9751 |
def test_negative(topo, _add_user, aci_of_user, user, entry, aci):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- :id: c4c887c2-786b-11e8-a328-8c16451d917b
|
|
|
be9751 |
- :parametrized: yes
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. ACI role should be followed
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
+ """Negative testing of ACLs
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: c4c887c2-786b-11e8-a328-8c16451d917b
|
|
|
be9751 |
+ :parametrized: yes
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. ACI role should be followed
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should not succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
# set aci
|
|
|
be9751 |
Domain(topo.standalone, DNBASE).set("aci", aci)
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/acl_deny_test.py b/dirsrvtests/tests/suites/acl/acl_deny_test.py
|
|
|
be9751 |
index 8ea6cd27b..96d08e9da 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/acl_deny_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/acl_deny_test.py
|
|
|
be9751 |
@@ -1,3 +1,11 @@
|
|
|
be9751 |
+# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
+# All rights reserved.
|
|
|
be9751 |
+#
|
|
|
be9751 |
+# License: GPL (version 3 or any later version).
|
|
|
be9751 |
+# See LICENSE for details.
|
|
|
be9751 |
+# --- END COPYRIGHT BLOCK ---
|
|
|
be9751 |
+#
|
|
|
be9751 |
import logging
|
|
|
be9751 |
import pytest
|
|
|
be9751 |
import os
|
|
|
be9751 |
@@ -5,7 +13,7 @@ import ldap
|
|
|
be9751 |
import time
|
|
|
be9751 |
from lib389._constants import *
|
|
|
be9751 |
from lib389.topologies import topology_st as topo
|
|
|
be9751 |
-from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
|
|
|
be9751 |
+from lib389.idm.user import UserAccount, TEST_USER_PROPERTIES
|
|
|
be9751 |
from lib389.idm.domain import Domain
|
|
|
be9751 |
|
|
|
be9751 |
pytestmark = pytest.mark.tier1
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/acl_test.py b/dirsrvtests/tests/suites/acl/acl_test.py
|
|
|
be9751 |
index 5ca86523c..4c3214650 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/acl_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/acl_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2016 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -14,9 +14,8 @@ from lib389.schema import Schema
|
|
|
be9751 |
from lib389.idm.domain import Domain
|
|
|
be9751 |
from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
|
|
|
be9751 |
from lib389.idm.organizationalrole import OrganizationalRole, OrganizationalRoles
|
|
|
be9751 |
-
|
|
|
be9751 |
from lib389.topologies import topology_m2
|
|
|
be9751 |
-from lib389._constants import SUFFIX, DN_SCHEMA, DN_DM, DEFAULT_SUFFIX, PASSWORD
|
|
|
be9751 |
+from lib389._constants import SUFFIX, DN_DM, DEFAULT_SUFFIX, PASSWORD
|
|
|
be9751 |
|
|
|
be9751 |
pytestmark = pytest.mark.tier1
|
|
|
be9751 |
|
|
|
be9751 |
@@ -243,6 +242,14 @@ def moddn_setup(topology_m2):
|
|
|
be9751 |
'userpassword': BIND_PW})
|
|
|
be9751 |
user.create(properties=user_props, basedn=SUFFIX)
|
|
|
be9751 |
|
|
|
be9751 |
+ # Add anonymous read aci
|
|
|
be9751 |
+ ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)
|
|
|
be9751 |
+ ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
|
|
|
be9751 |
+ ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"
|
|
|
be9751 |
+ ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
|
|
|
be9751 |
+ suffix = Domain(m1, SUFFIX)
|
|
|
be9751 |
+ suffix.add('aci', ACI_BODY)
|
|
|
be9751 |
+
|
|
|
be9751 |
# DIT for staging
|
|
|
be9751 |
m1.log.info("Add {}".format(STAGING_DN))
|
|
|
be9751 |
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
|
|
|
be9751 |
@@ -411,7 +418,8 @@ def test_moddn_staging_prod(topology_m2, moddn_setup,
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_moddn_staging_prod_9(topology_m2, moddn_setup):
|
|
|
be9751 |
- """
|
|
|
be9751 |
+ """Test with nsslapd-moddn-aci set to off so that MODDN requires an 'add' aci.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 222dd7e8-7ff1-40b8-ad26-6f8e42fbfcd9
|
|
|
be9751 |
:setup: MMR with two masters,
|
|
|
be9751 |
M1 - staging DIT
|
|
|
be9751 |
@@ -1061,10 +1069,12 @@ def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup):
|
|
|
be9751 |
@pytest.fixture(scope="module")
|
|
|
be9751 |
def rdn_write_setup(topology_m2):
|
|
|
be9751 |
topology_m2.ms["master1"].log.info("\n\n######## Add entry tuser ########\n")
|
|
|
be9751 |
- topology_m2.ms["master1"].add_s(Entry((SRC_ENTRY_DN, {
|
|
|
be9751 |
- 'objectclass': "top person".split(),
|
|
|
be9751 |
- 'sn': SRC_ENTRY_CN,
|
|
|
be9751 |
- 'cn': SRC_ENTRY_CN})))
|
|
|
be9751 |
+ user = UserAccount(topology_m2.ms["master1"], SRC_ENTRY_DN)
|
|
|
be9751 |
+ user_props = TEST_USER_PROPERTIES.copy()
|
|
|
be9751 |
+ user_props.update({'sn': SRC_ENTRY_CN,
|
|
|
be9751 |
+ 'cn': SRC_ENTRY_CN,
|
|
|
be9751 |
+ 'userpassword': BIND_PW})
|
|
|
be9751 |
+ user.create(properties=user_props, basedn=SUFFIX)
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_rdn_write_get_ger(topology_m2, rdn_write_setup):
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py b/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py
|
|
|
be9751 |
index 5700abfba..9c7226b42 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py
|
|
|
be9751 |
@@ -21,7 +21,7 @@ pytestmark = pytest.mark.tier1
|
|
|
be9751 |
USER_PASSWORD = "some test password"
|
|
|
be9751 |
NEW_USER_PASSWORD = "some new password"
|
|
|
be9751 |
|
|
|
be9751 |
-@pytest.mark.skipif(default_paths.perl_enabled or ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")
|
|
|
be9751 |
+@pytest.mark.skipif(ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")
|
|
|
be9751 |
def test_acl_default_allow_self_write_nsuser(topology):
|
|
|
be9751 |
"""
|
|
|
be9751 |
Testing nsusers can self write and self read. This it a sanity test
|
|
|
be9751 |
@@ -80,7 +80,7 @@ def test_acl_default_allow_self_write_nsuser(topology):
|
|
|
be9751 |
self_ent.change_password(USER_PASSWORD, NEW_USER_PASSWORD)
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-@pytest.mark.skipif(default_paths.perl_enabled or ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")
|
|
|
be9751 |
+@pytest.mark.skipif(ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")
|
|
|
be9751 |
def test_acl_default_allow_self_write_user(topology):
|
|
|
be9751 |
"""
|
|
|
be9751 |
Testing users can self write and self read. This it a sanity test
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/deladd_test.py b/dirsrvtests/tests/suites/acl/deladd_test.py
|
|
|
be9751 |
index 45a66be94..afdc772d1 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/deladd_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/deladd_test.py
|
|
|
be9751 |
@@ -86,8 +86,8 @@ def _add_user(request, topo):
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_delete_access_to_groupdn(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test allow delete access to groupdn
|
|
|
be9751 |
+ """Test allow delete access to groupdn
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 7cf15992-68ad-11e8-85af-54e1ad30572c
|
|
|
be9751 |
:setup: topo.standalone
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -124,8 +124,8 @@ def test_allow_delete_access_to_groupdn(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_add_access_to_anyone(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to allow add access to anyone
|
|
|
be9751 |
+ """Test to allow add access to anyone
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 5ca31cc4-68e0-11e8-8666-8c16451d917b
|
|
|
be9751 |
:setup: topo.standalone
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -160,8 +160,8 @@ def test_allow_add_access_to_anyone(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_delete_access_to_anyone(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to allow delete access to anyone
|
|
|
be9751 |
+ """Test to allow delete access to anyone
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: f5447c7e-68e1-11e8-84c4-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -191,8 +191,8 @@ def test_allow_delete_access_to_anyone(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to Allow delete access to != userdn
|
|
|
be9751 |
+ """Test to Allow delete access to != userdn
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 00637f6e-68e3-11e8-92a3-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -224,8 +224,8 @@ def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to Allow delete access to != groupdn
|
|
|
be9751 |
+ """Test to Allow delete access to != groupdn
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: f58fc8b0-68e5-11e8-9313-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -263,8 +263,8 @@ def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_add_access_to_parent(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to Allow add privilege to parent
|
|
|
be9751 |
+ """Test to Allow add privilege to parent
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 9f099845-9dbc-412f-bdb9-19a5ea729694
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -299,8 +299,8 @@ def test_allow_add_access_to_parent(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_delete_access_to_parent(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to Allow delete access to parent
|
|
|
be9751 |
+ """Test to Allow delete access to parent
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 2dd7f624-68e7-11e8-8591-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -333,10 +333,10 @@ def test_allow_delete_access_to_parent(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
new_user.delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
+def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user, request):
|
|
|
be9751 |
+
|
|
|
be9751 |
+ """Test to Allow delete access to dynamic group
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to Allow delete access to dynamic group
|
|
|
be9751 |
:id: 14ffa452-68ed-11e8-a60d-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -361,8 +361,8 @@ def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
# Set ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
- add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
- f'(version 3.0; acl "$tet_thistest"; '
|
|
|
be9751 |
+ add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
+ f'(version 3.0; acl "{request.node.name}"; '
|
|
|
be9751 |
f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')
|
|
|
be9751 |
|
|
|
be9751 |
# create connection with USER_WITH_ACI_DELADD
|
|
|
be9751 |
@@ -372,10 +372,10 @@ def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
UserAccount(conn, USER_DELADD).delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
+def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user, request):
|
|
|
be9751 |
+
|
|
|
be9751 |
+ """Test to Allow delete access to dynamic group
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to Allow delete access to dynamic group
|
|
|
be9751 |
:id: 010a4f20-752a-4173-b763-f520c7a85b82
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -401,7 +401,7 @@ def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user)
|
|
|
be9751 |
# Set ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=uid)(version 3.0; acl "$tet_thistest"; '
|
|
|
be9751 |
+ f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; '
|
|
|
be9751 |
f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')
|
|
|
be9751 |
|
|
|
be9751 |
# create connection with USER_WITH_ACI_DELADD
|
|
|
be9751 |
@@ -411,10 +411,10 @@ def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user)
|
|
|
be9751 |
UserAccount(conn, USER_DELADD).delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user):
|
|
|
be9751 |
+def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user, request):
|
|
|
be9751 |
+
|
|
|
be9751 |
+ """Test to Allow delete access to != dynamic group
|
|
|
be9751 |
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test to Allow delete access to != dynamic group
|
|
|
be9751 |
:id: 9ecb139d-bca8-428e-9044-fd89db5a3d14
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -439,7 +439,7 @@ def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user)
|
|
|
be9751 |
# Set ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; acl "$tet_thistest"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; acl "{request.node.name}"; '
|
|
|
be9751 |
f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')
|
|
|
be9751 |
|
|
|
be9751 |
# create connection with USER_WITH_ACI_DELADD
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py b/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py
|
|
|
be9751 |
index ca9456935..0cecde4b8 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2016 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -31,15 +31,13 @@ def env_setup(topology_st):
|
|
|
be9751 |
|
|
|
be9751 |
log.info("Add a container: %s" % CONTAINER_1)
|
|
|
be9751 |
topology_st.standalone.add_s(Entry((CONTAINER_1,
|
|
|
be9751 |
- {'objectclass': 'top',
|
|
|
be9751 |
- 'objectclass': 'organizationalunit',
|
|
|
be9751 |
+ {'objectclass': ['top','organizationalunit'],
|
|
|
be9751 |
'ou': CONTAINER_1_OU,
|
|
|
be9751 |
})))
|
|
|
be9751 |
|
|
|
be9751 |
log.info("Add a container: %s" % CONTAINER_2)
|
|
|
be9751 |
topology_st.standalone.add_s(Entry((CONTAINER_2,
|
|
|
be9751 |
- {'objectclass': 'top',
|
|
|
be9751 |
- 'objectclass': 'organizationalunit',
|
|
|
be9751 |
+ {'objectclass': ['top', 'organizationalunit'],
|
|
|
be9751 |
'ou': CONTAINER_2_OU,
|
|
|
be9751 |
})))
|
|
|
be9751 |
|
|
|
be9751 |
@@ -75,13 +73,13 @@ def test_enhanced_aci_modrnd(topology_st, env_setup):
|
|
|
be9751 |
:id: 492cf2a9-2efe-4e3b-955e-85eca61d66b9
|
|
|
be9751 |
:setup: Standalone instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
- 1. Create two containers
|
|
|
be9751 |
- 2. Create a user within "ou=test_ou_1,dc=example,dc=com"
|
|
|
be9751 |
- 3. Add an aci with a rule "cn=test_user is allowed all" within these containers
|
|
|
be9751 |
- 4. Run MODRDN operation on the "cn=test_user" and set "newsuperior" to
|
|
|
be9751 |
- the "ou=test_ou_2,dc=example,dc=com"
|
|
|
be9751 |
- 5. Check there is no user under container one (ou=test_ou_1,dc=example,dc=com)
|
|
|
be9751 |
- 6. Check there is a user under container two (ou=test_ou_2,dc=example,dc=com)
|
|
|
be9751 |
+ 1. Create two containers
|
|
|
be9751 |
+ 2. Create a user within "ou=test_ou_1,dc=example,dc=com"
|
|
|
be9751 |
+ 3. Add an aci with a rule "cn=test_user is allowed all" within these containers
|
|
|
be9751 |
+ 4. Run MODRDN operation on the "cn=test_user" and set "newsuperior" to
|
|
|
be9751 |
+ the "ou=test_ou_2,dc=example,dc=com"
|
|
|
be9751 |
+ 5. Check there is no user under container one (ou=test_ou_1,dc=example,dc=com)
|
|
|
be9751 |
+ 6. Check there is a user under container two (ou=test_ou_2,dc=example,dc=com)
|
|
|
be9751 |
|
|
|
be9751 |
:expectedresults:
|
|
|
be9751 |
1. Two containers should be created
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py b/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py
|
|
|
be9751 |
index b10fb1b65..7474f61f0 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -70,6 +70,14 @@ def test_user(request, topo):
|
|
|
be9751 |
'userPassword': PW_DM
|
|
|
be9751 |
})
|
|
|
be9751 |
|
|
|
be9751 |
+ # Add anonymous access aci
|
|
|
be9751 |
+ ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
|
|
|
be9751 |
+ ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
|
|
|
be9751 |
+ ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
|
|
|
be9751 |
+ ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
|
|
|
be9751 |
+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ suffix.add('aci', ANON_ACI)
|
|
|
be9751 |
+
|
|
|
be9751 |
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')
|
|
|
be9751 |
for demo1 in ['c1', 'CHILD1_GLOBAL']:
|
|
|
be9751 |
uas.create(properties={
|
|
|
be9751 |
@@ -112,7 +120,7 @@ def test_undefined_in_group_eval_five(topo, test_user, aci_of_user):
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
# This aci should NOT allow access
|
|
|
be9751 |
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
@@ -140,7 +148,7 @@ def test_undefined_in_group_eval_six(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
# test UNDEFINED in group
|
|
|
be9751 |
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
@@ -168,7 +176,7 @@ def test_undefined_in_group_eval_seven(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
# test UNDEFINED in group
|
|
|
be9751 |
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
@@ -196,7 +204,7 @@ def test_undefined_in_group_eval_eight(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
# test UNDEFINED in group
|
|
|
be9751 |
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
@@ -224,7 +232,7 @@ def test_undefined_in_group_eval_nine(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
# test UNDEFINED in group
|
|
|
be9751 |
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
@@ -252,7 +260,7 @@ def test_undefined_in_group_eval_ten(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')
|
|
|
be9751 |
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
@@ -281,7 +289,7 @@ def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')
|
|
|
be9751 |
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
@@ -312,7 +320,7 @@ def test_undefined_in_group_eval_twelve(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
|
|
|
be9751 |
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
@@ -341,7 +349,7 @@ def test_undefined_in_group_eval_fourteen(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
|
|
|
be9751 |
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
@@ -372,7 +380,7 @@ def test_undefined_in_group_eval_fifteen(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')
|
|
|
be9751 |
UserAccount(topo.standalone, NESTEDGROUP_OU_GLOBAL).add("description", DEEPUSER_GLOBAL)
|
|
|
be9751 |
# Here do the same tests for userattr with the parent keyword.
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
@@ -399,7 +407,7 @@ def test_undefined_in_group_eval_sixteen(topo, test_user, aci_of_user):
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
- domain.add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')
|
|
|
be9751 |
+ domain.add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')
|
|
|
be9751 |
domain.add("description", DEEPUSER_GLOBAL)
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
# Test with parent keyword with not key
|
|
|
be9751 |
@@ -427,7 +435,7 @@ def test_undefined_in_group_eval_seventeen(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')
|
|
|
be9751 |
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
# Test with the parent keyord
|
|
|
be9751 |
user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
|
|
|
be9751 |
@@ -455,7 +463,7 @@ def test_undefined_in_group_eval_eighteen(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')
|
|
|
be9751 |
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
# Test with parent keyword with not key
|
|
|
be9751 |
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/globalgroup_test.py b/dirsrvtests/tests/suites/acl/globalgroup_test.py
|
|
|
be9751 |
index 58c4392e5..dc51a8170 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/globalgroup_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/globalgroup_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -72,6 +72,14 @@ def test_user(request, topo):
|
|
|
be9751 |
'userPassword': PW_DM
|
|
|
be9751 |
})
|
|
|
be9751 |
|
|
|
be9751 |
+ # Add anonymous access aci
|
|
|
be9751 |
+ ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
|
|
|
be9751 |
+ ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
|
|
|
be9751 |
+ ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
|
|
|
be9751 |
+ ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
|
|
|
be9751 |
+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ suffix.add('aci', ANON_ACI)
|
|
|
be9751 |
+
|
|
|
be9751 |
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')
|
|
|
be9751 |
for demo1 in ['DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER1_GLOBAL',
|
|
|
be9751 |
'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild']:
|
|
|
be9751 |
@@ -361,7 +369,7 @@ def test_undefined_in_group_eval_two(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
# This aci should allow access
|
|
|
be9751 |
@@ -389,7 +397,7 @@ def test_undefined_in_group_eval_three(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
# test UNDEFINED in group
|
|
|
be9751 |
@@ -417,7 +425,7 @@ def test_undefined_in_group_eval_four(topo, test_user, aci_of_user):
|
|
|
be9751 |
4. Operation should succeed
|
|
|
be9751 |
5. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, DEEPUSER1_GLOBAL).bind(PW_DM)
|
|
|
be9751 |
# test UNDEFINED in group
|
|
|
be9751 |
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/keywords_part2_test.py b/dirsrvtests/tests/suites/acl/keywords_part2_test.py
|
|
|
be9751 |
index c2aa9ac53..642e65bad 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/keywords_part2_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/keywords_part2_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -68,7 +68,7 @@ def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
- domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
|
|
|
be9751 |
+ domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; '
|
|
|
be9751 |
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
# create a new connection for the test
|
|
|
be9751 |
@@ -76,12 +76,13 @@ def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Perform Operation
|
|
|
be9751 |
org = OrganizationalUnit(conn, IP_OU_KEY)
|
|
|
be9751 |
org.replace("seeAlso", "cn=1")
|
|
|
be9751 |
+
|
|
|
be9751 |
# remove the aci
|
|
|
be9751 |
- domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci '
|
|
|
be9751 |
+ domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci '
|
|
|
be9751 |
f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
|
|
|
be9751 |
f'ip = "{ip_ip}" ;)')
|
|
|
be9751 |
# Now add aci with new ip
|
|
|
be9751 |
- domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '
|
|
|
be9751 |
+ domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; '
|
|
|
be9751 |
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
# After changing the ip user cant access data
|
|
|
be9751 |
@@ -106,10 +107,11 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
# Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
|
|
|
be9751 |
ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]
|
|
|
be9751 |
+
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "IP aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "IP aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
|
|
|
be9751 |
f'and ip != "{ip_ip}" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -122,7 +124,7 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Remove the ACI
|
|
|
be9751 |
domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
|
|
|
be9751 |
# Add new ACI
|
|
|
be9751 |
- domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
|
|
|
be9751 |
+ domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; aci "IP aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -148,7 +150,7 @@ def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone,
|
|
|
be9751 |
DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "IP aci"; allow(all) '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
# Create a new connection for this test.
|
|
|
be9751 |
@@ -177,7 +179,7 @@ def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone,
|
|
|
be9751 |
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
|
|
|
be9751 |
f'(timeofday >= "0000" and timeofday <= "2359") ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -206,7 +208,7 @@ def test_user_can_access_the_data_only_in_the_morning(topo, add_user, aci_of_use
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone,
|
|
|
be9751 |
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '
|
|
|
be9751 |
f'and timeofday < "1200" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -239,7 +241,7 @@ def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_u
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone,
|
|
|
be9751 |
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '
|
|
|
be9751 |
f'and timeofday > \'1200\' ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -275,7 +277,7 @@ def test_timeofday_keyword(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
domain.add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{NOWORKER_KEY}" '
|
|
|
be9751 |
f'and timeofday = \'{now_1}\' ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -312,7 +314,7 @@ def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user)
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone,
|
|
|
be9751 |
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
|
|
|
be9751 |
f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -342,7 +344,7 @@ def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone,
|
|
|
be9751 |
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
|
|
|
be9751 |
f'and dayofweek = \'{today_1}\' ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -371,7 +373,7 @@ def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone,
|
|
|
be9751 |
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Dayofweek aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
|
|
|
be9751 |
f'and dayofweek = "$NEW_DATE" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/keywords_test.py b/dirsrvtests/tests/suites/acl/keywords_test.py
|
|
|
be9751 |
index 138e3ede1..0174152e3 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/keywords_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/keywords_test.py
|
|
|
be9751 |
@@ -39,11 +39,11 @@ NONE_2_KEY = "uid=NONE_2_KEY,{}".format(AUTHMETHOD_OU_KEY)
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
NONE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Authmethod aci"; ' \
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{NONE_1_KEY}" and authmethod = "none" ;)'
|
|
|
be9751 |
|
|
|
be9751 |
SIMPLE_ACI_KEY = f'(target = "ldap:///{AUTHMETHOD_OU_KEY}")' \
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "Authmethod aci"; ' \
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "Authmethod aci"; ' \
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{SIMPLE_1_KEY}" and authmethod = "simple" ;)'
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
@@ -55,8 +55,7 @@ def _add_aci(topo, name):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_user_binds_with_a_password_and_can_access_the_data(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User binds with a password and can access the data as per the ACI.
|
|
|
be9751 |
+ """User binds with a password and can access the data as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
:id: f6c4b6f0-7ac4-11e8-a517-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -78,8 +77,7 @@ def test_user_binds_with_a_password_and_can_access_the_data(topo, add_user, aci_
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_user_binds_with_a_bad_password_and_cannot_access_the_data(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User binds with a BAD password and cannot access the data .
|
|
|
be9751 |
+ """User binds with a BAD password and cannot access the data .
|
|
|
be9751 |
|
|
|
be9751 |
:id: 0397744e-7ac5-11e8-bfb1-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -98,8 +96,7 @@ def test_user_binds_with_a_bad_password_and_cannot_access_the_data(topo, add_use
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_anonymous_user_cannot_access_the_data(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Anonymous user cannot access the data
|
|
|
be9751 |
+ """Anonymous user cannot access the data
|
|
|
be9751 |
|
|
|
be9751 |
:id: 0821a55c-7ac5-11e8-b214-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -124,8 +121,7 @@ def test_anonymous_user_cannot_access_the_data(topo, add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_authenticated_but_has_no_rigth_on_the_data(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User has a password. He is authenticated but has no rigth on the data.
|
|
|
be9751 |
+ """User has a password. He is authenticated but has no rigth on the data.
|
|
|
be9751 |
|
|
|
be9751 |
:id: 11be7ebe-7ac5-11e8-b754-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -150,10 +146,9 @@ def test_authenticated_but_has_no_rigth_on_the_data(topo, add_user, aci_of_user)
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_the_bind_client_is_accessing_the_directory(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- The bind rule is evaluated to be true if the client is accessing the directory as per the ACI.
|
|
|
be9751 |
+ """The bind rule is evaluated to be true if the client is accessing the directory as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
- :id: 1715bfb2-7ac5-11e8-8f2c-8c16451d917b
|
|
|
be9751 |
+ :id: 1715bfb2-7ac5-11e8-8f2c-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Add test entry
|
|
|
be9751 |
@@ -175,8 +170,7 @@ def test_the_bind_client_is_accessing_the_directory(topo, add_user, aci_of_user)
|
|
|
be9751 |
|
|
|
be9751 |
def test_users_binds_with_a_password_and_can_access_the_data(
|
|
|
be9751 |
topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User binds with a password and can access the data as per the ACI.
|
|
|
be9751 |
+ """User binds with a password and can access the data as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
:id: 1bd01cb4-7ac5-11e8-a2f1-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -199,8 +193,7 @@ def test_users_binds_with_a_password_and_can_access_the_data(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_user_binds_without_any_password_and_cannot_access_the_data(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User binds without any password and cannot access the data
|
|
|
be9751 |
+ """User binds without any password and cannot access the data
|
|
|
be9751 |
|
|
|
be9751 |
:id: 205777fa-7ac5-11e8-ba2f-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -227,8 +220,7 @@ def test_user_binds_without_any_password_and_cannot_access_the_data(topo, add_us
|
|
|
be9751 |
def test_user_can_access_the_data_when_connecting_from_any_machine(
|
|
|
be9751 |
topo, add_user, aci_of_user
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User can access the data when connecting from any machine as per the ACI.
|
|
|
be9751 |
+ """User can access the data when connecting from any machine as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
:id: 28cbc008-7ac5-11e8-934e-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -244,7 +236,7 @@ def test_user_can_access_the_data_when_connecting_from_any_machine(
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX)\
|
|
|
be9751 |
.add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
# Create a new connection for this test.
|
|
|
be9751 |
@@ -256,8 +248,8 @@ def test_user_can_access_the_data_when_connecting_from_any_machine(
|
|
|
be9751 |
def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
|
|
|
be9751 |
topo, add_user, aci_of_user
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User can access the data when connecting from internal ICNC network only as per the ACI.
|
|
|
be9751 |
+ """User can access the data when connecting from internal ICNC network only as per the ACI.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 2cac2136-7ac5-11e8-8328-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -273,9 +265,9 @@ def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
add("aci", [f'(target = "ldap:///{DNS_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "DNS aci"; '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "DNS aci"; '
|
|
|
be9751 |
f'allow(all) userdn = "ldap:///{SUNDNS_KEY}" and dns = "*redhat.com" ;)',
|
|
|
be9751 |
- f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
|
|
|
be9751 |
+ f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{SUNDNS_KEY}" and dns = "{dns_name}" ;)'])
|
|
|
be9751 |
|
|
|
be9751 |
@@ -288,8 +280,7 @@ def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
|
|
|
be9751 |
def test_user_can_access_the_data_when_connecting_from_some_network_only(
|
|
|
be9751 |
topo, add_user, aci_of_user
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User can access the data when connecting from some network only as per the ACI.
|
|
|
be9751 |
+ """User can access the data when connecting from some network only as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
:id: 3098512a-7ac5-11e8-af85-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -306,7 +297,7 @@ def test_user_can_access_the_data_when_connecting_from_some_network_only(
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX)\
|
|
|
be9751 |
.add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
|
|
|
be9751 |
f'and dns = "{dns_name}" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -317,8 +308,7 @@ def test_user_can_access_the_data_when_connecting_from_some_network_only(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User cannot access the data when connecting from an unauthorized network as per the ACI.
|
|
|
be9751 |
+ """User cannot access the data when connecting from an unauthorized network as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
:id: 34cf9726-7ac5-11e8-bc12-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -334,7 +324,7 @@ def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" and dns != "red.iplanet.com" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
# Create a new connection for this test.
|
|
|
be9751 |
@@ -345,8 +335,7 @@ def test_from_an_unauthorized_network(topo, add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2(
|
|
|
be9751 |
topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User cannot access the data when connecting from an unauthorized network as per the ACI.
|
|
|
be9751 |
+ """User cannot access the data when connecting from an unauthorized network as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
:id: 396bdd44-7ac5-11e8-8014-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -362,7 +351,7 @@ def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_networ
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
|
|
|
be9751 |
f'and dnsalias != "www.redhat.com" ;)')
|
|
|
be9751 |
|
|
|
be9751 |
@@ -373,8 +362,8 @@ def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_networ
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_user_cannot_access_the_data_if_not_from_a_certain_domain(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User cannot access the data if not from a certain domain as per the ACI.
|
|
|
be9751 |
+ """User cannot access the data if not from a certain domain as per the ACI.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 3d658972-7ac5-11e8-930f-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -388,7 +377,7 @@ def test_user_cannot_access_the_data_if_not_from_a_certain_domain(topo, add_user
|
|
|
be9751 |
"""
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
- add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
|
|
|
be9751 |
+ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{NODNS_KEY}" '
|
|
|
be9751 |
f'and dns = "RAP.rock.SALSA.house.COM" ;)')
|
|
|
be9751 |
@@ -402,8 +391,7 @@ def test_user_cannot_access_the_data_if_not_from_a_certain_domain(topo, add_user
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
|
|
|
be9751 |
+ """Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
|
|
|
be9751 |
|
|
|
be9751 |
:id: 41b467be-7ac5-11e8-89a3-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Server
|
|
|
be9751 |
@@ -418,7 +406,7 @@ def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
# Add ACI
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
- add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
|
|
|
be9751 |
+ add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; aci "DNS aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{NODNS_KEY}" and '
|
|
|
be9751 |
f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
|
|
|
be9751 |
@@ -434,8 +422,7 @@ def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
|
|
|
be9751 |
@pytest.mark.bz1710848
|
|
|
be9751 |
@pytest.mark.parametrize("ip_addr", ['127.0.0.1', "[::1]"])
|
|
|
be9751 |
def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user, ip_addr):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- User can modify the data when accessing the server from the allowed IPv4 and IPv6 addresses
|
|
|
be9751 |
+ """User can modify the data when accessing the server from the allowed IPv4 and IPv6 addresses
|
|
|
be9751 |
|
|
|
be9751 |
:id: 461e761e-7ac5-11e8-9ae4-8c16451d917b
|
|
|
be9751 |
:parametrized: yes
|
|
|
be9751 |
@@ -451,7 +438,7 @@ def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user,
|
|
|
be9751 |
"""
|
|
|
be9751 |
# Add ACI that contains both IPv4 and IPv6
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
- add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr=*) '
|
|
|
be9751 |
+ add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr="*") '
|
|
|
be9751 |
f'(version 3.0; aci "IP aci"; allow(all) '
|
|
|
be9751 |
f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)')
|
|
|
be9751 |
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/misc_test.py b/dirsrvtests/tests/suites/acl/misc_test.py
|
|
|
be9751 |
index 8f122b7a7..5f0e3eb72 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/misc_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/misc_test.py
|
|
|
be9751 |
@@ -1,6 +1,6 @@
|
|
|
be9751 |
"""
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 RED Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 RED Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -8,6 +8,7 @@
|
|
|
be9751 |
# --- END COPYRIGHT BLOCK ----
|
|
|
be9751 |
"""
|
|
|
be9751 |
|
|
|
be9751 |
+import ldap
|
|
|
be9751 |
import os
|
|
|
be9751 |
import pytest
|
|
|
be9751 |
|
|
|
be9751 |
@@ -21,8 +22,6 @@ from lib389.topologies import topology_st as topo
|
|
|
be9751 |
from lib389.idm.domain import Domain
|
|
|
be9751 |
from lib389.plugins import ACLPlugin
|
|
|
be9751 |
|
|
|
be9751 |
-import ldap
|
|
|
be9751 |
-
|
|
|
be9751 |
pytestmark = pytest.mark.tier1
|
|
|
be9751 |
|
|
|
be9751 |
PEOPLE = "ou=PEOPLE,{}".format(DEFAULT_SUFFIX)
|
|
|
be9751 |
@@ -37,7 +36,19 @@ def aci_of_user(request, topo):
|
|
|
be9751 |
:param request:
|
|
|
be9751 |
:param topo:
|
|
|
be9751 |
"""
|
|
|
be9751 |
- aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Add anonymous access aci
|
|
|
be9751 |
+ ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
|
|
|
be9751 |
+ ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
|
|
|
be9751 |
+ ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
|
|
|
be9751 |
+ ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
|
|
|
be9751 |
+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ try:
|
|
|
be9751 |
+ suffix.add('aci', ANON_ACI)
|
|
|
be9751 |
+ except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
be9751 |
+ pass
|
|
|
be9751 |
+
|
|
|
be9751 |
+ aci_list = suffix.get_attr_vals('aci')
|
|
|
be9751 |
|
|
|
be9751 |
def finofaci():
|
|
|
be9751 |
"""
|
|
|
be9751 |
@@ -78,8 +89,8 @@ def clean(request, topo):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Misc Test 2 accept aci in addition to acl
|
|
|
be9751 |
+ """Misc Test 2 accept aci in addition to acl
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 8e9408fa-7db8-11e8-adaa-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -96,7 +107,7 @@ def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
|
|
|
be9751 |
for i in [('mail', 'anujborah@okok.com'), ('givenname', 'Anuj'), ('userPassword', PW_DM)]:
|
|
|
be9751 |
user.set(i[0], i[1])
|
|
|
be9751 |
|
|
|
be9751 |
- aci_target = "(targetattr=givenname)"
|
|
|
be9751 |
+ aci_target = '(targetattr="givenname")'
|
|
|
be9751 |
aci_allow = ('(version 3.0; acl "Name of the ACI"; deny (read, search, compare, write)')
|
|
|
be9751 |
aci_subject = 'userdn="ldap:///anyone";)'
|
|
|
be9751 |
Domain(topo.standalone, CONTAINER_1_DELADD).add("aci", aci_target + aci_allow + aci_subject)
|
|
|
be9751 |
@@ -115,9 +126,9 @@ def test_accept_aci_in_addition_to_acl(topo, clean, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz334451
|
|
|
be9751 |
def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- bug 334451 : more then 40 acl will crash slapd
|
|
|
be9751 |
+ """bug 334451 : more then 40 acl will crash slapd
|
|
|
be9751 |
superseded by Bug 772778 - acl cache overflown problem with > 200 acis
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 93a44c60-7db8-11e8-9439-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -132,7 +143,7 @@ def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user):
|
|
|
be9751 |
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
|
|
|
be9751 |
user = uas.create_test_user()
|
|
|
be9751 |
|
|
|
be9751 |
- aci_target = '(target ="ldap:///{}")(targetattr !="userPassword")'.format(CONTAINER_1_DELADD)
|
|
|
be9751 |
+ aci_target = '(target ="ldap:///{}")(targetattr!="userPassword")'.format(CONTAINER_1_DELADD)
|
|
|
be9751 |
# more_then_40_acl_will not crash_slapd
|
|
|
be9751 |
for i in range(40):
|
|
|
be9751 |
aci_allow = '(version 3.0;acl "ACI_{}";allow (read, search, compare)'.format(i)
|
|
|
be9751 |
@@ -147,9 +158,9 @@ def test_more_then_40_acl_will_crash_slapd(topo, clean, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz345643
|
|
|
be9751 |
def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- bug 345643
|
|
|
be9751 |
+ """bug 345643
|
|
|
be9751 |
Misc Test 4 search access should not include read access
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 98ab173e-7db8-11e8-a309-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -163,7 +174,7 @@ def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
assert Domain(topo.standalone, DEFAULT_SUFFIX).present('aci')
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX)\
|
|
|
be9751 |
- .add("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr !="userPassword")'
|
|
|
be9751 |
+ .replace("aci", [f'(target ="ldap:///{DEFAULT_SUFFIX}")(targetattr != "userPassword")'
|
|
|
be9751 |
'(version 3.0;acl "anonymous access";allow (search)'
|
|
|
be9751 |
'(userdn = "ldap:///anyone");)',
|
|
|
be9751 |
f'(target="ldap:///{DEFAULT_SUFFIX}") (targetattr = "*")(version 3.0; '
|
|
|
be9751 |
@@ -176,13 +187,13 @@ def test_search_access_should_not_include_read_access(topo, clean, aci_of_user):
|
|
|
be9751 |
conn = Anonymous(topo.standalone).bind()
|
|
|
be9751 |
# search_access_should_not_include_read_access
|
|
|
be9751 |
suffix = Domain(conn, DEFAULT_SUFFIX)
|
|
|
be9751 |
- with pytest.raises(AssertionError):
|
|
|
be9751 |
+ with pytest.raises(Exception):
|
|
|
be9751 |
assert suffix.present('aci')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_only_allow_some_targetattr(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Misc Test 5 only allow some targetattr (1/2)
|
|
|
be9751 |
+ """Misc Test 5 only allow some targetattr (1/2)
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 9d27f048-7db8-11e8-a71c-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -211,17 +222,17 @@ def test_only_allow_some_targetattr(topo, clean, aci_of_user):
|
|
|
be9751 |
# aci will allow only mail targetattr
|
|
|
be9751 |
assert len(accounts.filter('(mail=*)')) == 2
|
|
|
be9751 |
# aci will allow only mail targetattr
|
|
|
be9751 |
- assert not accounts.filter('(cn=*)')
|
|
|
be9751 |
+ assert not accounts.filter('(cn=*)', scope=1)
|
|
|
be9751 |
# with root no , blockage
|
|
|
be9751 |
- assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)')) == 2
|
|
|
be9751 |
+ assert len(Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)', scope=1)) == 2
|
|
|
be9751 |
|
|
|
be9751 |
for i in uas.list():
|
|
|
be9751 |
i.delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_only_allow_some_targetattr_two(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Misc Test 6 only allow some targetattr (2/2)"
|
|
|
be9751 |
+def test_only_allow_some_targetattr_two(topo, clean, aci_of_user, request):
|
|
|
be9751 |
+ """Misc Test 6 only allow some targetattr (2/2)"
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: a188239c-7db8-11e8-903e-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -244,15 +255,15 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
replace("aci", '(target="ldap:///{}") (targetattr="mail||objectClass")'
|
|
|
be9751 |
- '(targetfilter="cn=Anuj") (version 3.0; acl "$tet_thistest"; '
|
|
|
be9751 |
+ '(targetfilter="cn=Anuj") (version 3.0; acl "{}"; '
|
|
|
be9751 |
'allow (compare,read,search) '
|
|
|
be9751 |
- '(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX))
|
|
|
be9751 |
+ '(userdn = "ldap:///anyone"); )'.format(DEFAULT_SUFFIX, request.node.name))
|
|
|
be9751 |
|
|
|
be9751 |
conn = UserAccount(topo.standalone, user.dn).bind(PW_DM)
|
|
|
be9751 |
# aci will allow only mail targetattr but only for cn=Anuj
|
|
|
be9751 |
account = Accounts(conn, DEFAULT_SUFFIX)
|
|
|
be9751 |
- assert len(account.filter('(mail=*)')) == 5
|
|
|
be9751 |
- assert not account.filter('(cn=*)')
|
|
|
be9751 |
+ assert len(account.filter('(mail=*)', scope=1)) == 5
|
|
|
be9751 |
+ assert not account.filter('(cn=*)', scope=1)
|
|
|
be9751 |
|
|
|
be9751 |
for i in account.filter('(mail=*)'):
|
|
|
be9751 |
assert i.get_attr_val_utf8('mail') == 'anujborah@anujborah.com'
|
|
|
be9751 |
@@ -261,8 +272,8 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user):
|
|
|
be9751 |
conn = Anonymous(topo.standalone).bind()
|
|
|
be9751 |
# aci will allow only mail targetattr but only for cn=Anuj
|
|
|
be9751 |
account = Accounts(conn, DEFAULT_SUFFIX)
|
|
|
be9751 |
- assert len(account.filter('(mail=*)')) == 5
|
|
|
be9751 |
- assert not account.filter('(cn=*)')
|
|
|
be9751 |
+ assert len(account.filter('(mail=*)', scope=1)) == 5
|
|
|
be9751 |
+ assert not account.filter('(cn=*)', scope=1)
|
|
|
be9751 |
|
|
|
be9751 |
for i in account.filter('(mail=*)'):
|
|
|
be9751 |
assert i.get_attr_val_utf8('mail') == 'anujborah@anujborah.com'
|
|
|
be9751 |
@@ -274,11 +285,10 @@ def test_only_allow_some_targetattr_two(topo, clean, aci_of_user):
|
|
|
be9751 |
i.delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-
|
|
|
be9751 |
@pytest.mark.bz326000
|
|
|
be9751 |
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Non-regression test for BUG 326000: MemberURL needs to be normalized
|
|
|
be9751 |
+ """Non-regression test for BUG 326000: MemberURL needs to be normalized
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: a5d172e6-7db8-11e8-aca7-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -291,7 +301,7 @@ def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
|
|
|
be9751 |
- ou_ou.set('aci', '(targetattr= *)'
|
|
|
be9751 |
+ ou_ou.set('aci', '(targetattr="*")'
|
|
|
be9751 |
'(version 3.0; acl "tester"; allow(all) '
|
|
|
be9751 |
'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(DEFAULT_SUFFIX))
|
|
|
be9751 |
|
|
|
be9751 |
@@ -323,8 +333,8 @@ def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz624370
|
|
|
be9751 |
def test_greater_than_200_acls_can_be_created(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Misc 10, check that greater than 200 ACLs can be created. Bug 624370
|
|
|
be9751 |
+ """Misc 10, check that greater than 200 ACLs can be created. Bug 624370
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: ac020252-7db8-11e8-8652-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -355,8 +365,8 @@ def test_greater_than_200_acls_can_be_created(topo, clean, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz624453
|
|
|
be9751 |
def test_server_bahaves_properly_with_very_long_attribute_names(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Make sure the server bahaves properly with very long attribute names. Bug 624453.
|
|
|
be9751 |
+ """Make sure the server bahaves properly with very long attribute names. Bug 624453.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: b0d31942-7db8-11e8-a833-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -378,24 +388,23 @@ def test_server_bahaves_properly_with_very_long_attribute_names(topo, clean, aci
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_do_bind_as_201_distinct_users(topo, clean, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Do bind as 201 distinct users
|
|
|
be9751 |
- Increase the nsslapd-aclpb-max-selected-acls in cn=ACL Plugin,cn=plugins,cn=config
|
|
|
be9751 |
- Restart the server
|
|
|
be9751 |
- Do bind as 201 distinct users
|
|
|
be9751 |
+ """Test bind as 201 distinct users
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: c0060532-7db8-11e8-a124-8c16451d917b
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. User should follow ACI role
|
|
|
be9751 |
+ 1. Add test entries
|
|
|
be9751 |
+ 2. Increase the nsslapd-aclpb-max-selected-acls in cn=ACL Plugin,cn=plugins,cn=config
|
|
|
be9751 |
+ 3. Restart the server
|
|
|
be9751 |
+ 4. Do bind as 201 distinct users
|
|
|
be9751 |
:expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
+ 1. Entries should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
+ 4. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
- for i in range(50):
|
|
|
be9751 |
+ for i in range(201):
|
|
|
be9751 |
user = uas.create_test_user(uid=i, gid=i)
|
|
|
be9751 |
user.set('userPassword', PW_DM)
|
|
|
be9751 |
|
|
|
be9751 |
@@ -408,7 +417,6 @@ def test_do_bind_as_201_distinct_users(topo, clean, aci_of_user):
|
|
|
be9751 |
for i in range(len(uas.list())):
|
|
|
be9751 |
uas.list()[i].bind(PW_DM)
|
|
|
be9751 |
|
|
|
be9751 |
-
|
|
|
be9751 |
if __name__ == "__main__":
|
|
|
be9751 |
CURRENT_FILE = os.path.realpath(__file__)
|
|
|
be9751 |
pytest.main("-s -v %s" % CURRENT_FILE)
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/modrdn_test.py b/dirsrvtests/tests/suites/acl/modrdn_test.py
|
|
|
be9751 |
index f67f3e508..c4ae8eea5 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/modrdn_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/modrdn_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -87,9 +87,9 @@ def _add_user(request, topo):
|
|
|
be9751 |
request.addfinalizer(fin)
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Modrdn Test 1 Allow write privilege to anyone
|
|
|
be9751 |
+def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Modrdn Test 1 Allow write privilege to anyone
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 4406f12e-7932-11e8-9dea-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -102,8 +102,8 @@ def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",
|
|
|
be9751 |
- '(target ="ldap:///{}")(targetattr=*)(version 3.0;acl "$tet_thistest";allow '
|
|
|
be9751 |
- '(write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX))
|
|
|
be9751 |
+ '(target ="ldap:///{}")(targetattr="*")(version 3.0;acl "{}";allow '
|
|
|
be9751 |
+ '(write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX, request.node.name))
|
|
|
be9751 |
conn = Anonymous(topo.standalone).bind()
|
|
|
be9751 |
# Allow write privilege to anyone
|
|
|
be9751 |
useraccount = UserAccount(conn, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
@@ -115,22 +115,22 @@ def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_allow_write_privilege_to_dynamic_group_with_scope_set_to_base_in_ldap_url(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
+ """Modrdn Test 2 Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: 4c0f8c00-7932-11e8-8398-8c16451d917b
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. User should follow ACI role
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Modrdn Test 2 Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
|
|
|
be9751 |
- :id: 4c0f8c00-7932-11e8-8398-8c16451d917b
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. User should follow ACI role
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr=*)(version 3.0; acl "$tet_thistest"; allow(all)(groupdn = "ldap:///{}"); )'.format(DEFAULT_SUFFIX, DYNAMIC_MODRDN))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(target = ldap:///{})(targetattr="*")(version 3.0; acl "{}"; allow(all)(groupdn = "ldap:///{}"); )'.format(DEFAULT_SUFFIX, request.node.name, DYNAMIC_MODRDN))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
# Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
|
|
|
be9751 |
useraccount = UserAccount(conn, USER_DELADD)
|
|
|
be9751 |
@@ -141,22 +141,22 @@ def test_allow_write_privilege_to_dynamic_group_with_scope_set_to_base_in_ldap_u
|
|
|
be9751 |
assert 'cn=Jeff Vedder,ou=Product Development,dc=example,dc=com' == useraccount.dn
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_write_access_to_naming_atributes(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test for write access to naming atributes (1)
|
|
|
be9751 |
- Test that check for add writes to the new naming attr
|
|
|
be9751 |
- :id: 532fc630-7932-11e8-8924-8c16451d917b
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. User should follow ACI role
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
+def test_write_access_to_naming_atributes(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Test for write access to naming atributes
|
|
|
be9751 |
+ Test that check for add writes to the new naming attr
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: 532fc630-7932-11e8-8924-8c16451d917b
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. User should follow ACI role
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "$tet_thistest";allow (write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "{}";allow (write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX, request.node.name))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
#Test for write access to naming atributes
|
|
|
be9751 |
useraccount = UserAccount(conn, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
@@ -164,23 +164,23 @@ def test_write_access_to_naming_atributes(topo, _add_user, aci_of_user):
|
|
|
be9751 |
useraccount.rename("uid=Jeffbo Vedder")
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test for write access to naming atributes (2)
|
|
|
be9751 |
- :id: 5a2077d2-7932-11e8-9e7b-8c16451d917b
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. User should follow ACI role
|
|
|
be9751 |
- 4. Now try to modrdn it to cn, won't work if request deleteoldrdn.
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
- 4. Operation should not succeed
|
|
|
be9751 |
+def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Test for write access to naming atributes (2)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: 5a2077d2-7932-11e8-9e7b-8c16451d917b
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. User should follow ACI role
|
|
|
be9751 |
+ 4. Now try to modrdn it to cn, won't work if request deleteoldrdn.
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
+ 4. Operation should not succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "$tet_thistest";allow (write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX))
|
|
|
be9751 |
+ Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", '(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "{}";allow (write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX, request.node.name))
|
|
|
be9751 |
properties = {
|
|
|
be9751 |
'uid': 'Sam Carter1',
|
|
|
be9751 |
'cn': 'Sam Carter1',
|
|
|
be9751 |
@@ -202,22 +202,22 @@ def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz950351
|
|
|
be9751 |
def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing bug #950351: RHDS denies MODRDN access if ACI list contains any DENY rule
|
|
|
be9751 |
- Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour
|
|
|
be9751 |
- as you cannot rename the entry anymore
|
|
|
be9751 |
- :id: 62cbbb8a-7932-11e8-96a7-8c16451d917b
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Adding a new ou ou=People to $BASEDN
|
|
|
be9751 |
- 3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN
|
|
|
be9751 |
- 4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
- 4. Operation should succeed
|
|
|
be9751 |
+ """RHDS denies MODRDN access if ACI list contains any DENY rule
|
|
|
be9751 |
+ Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour
|
|
|
be9751 |
+ as you cannot rename the entry anymore
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: 62cbbb8a-7932-11e8-96a7-8c16451d917b
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Adding a new ou ou=People to $BASEDN
|
|
|
be9751 |
+ 3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN
|
|
|
be9751 |
+ 4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
+ 4. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
properties = {
|
|
|
be9751 |
'uid': 'NEWENTRY9_MODRDN',
|
|
|
be9751 |
@@ -245,28 +245,28 @@ def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_renaming_target_entry(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Test for renaming target entry
|
|
|
be9751 |
- :id: 6be1d33a-7932-11e8-9115-8c16451d917b
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Create a test user entry
|
|
|
be9751 |
- 3.Create a new ou entry with an aci
|
|
|
be9751 |
- 4. Make sure uid=$MYUID has the access
|
|
|
be9751 |
- 5. Rename ou=OU0 to ou=OU1
|
|
|
be9751 |
- 6. Create another ou=OU2
|
|
|
be9751 |
- 7. Move ou=OU1 under ou=OU2
|
|
|
be9751 |
- 8. Make sure uid=$MYUID still has the access
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
- 4. Operation should succeed
|
|
|
be9751 |
- 5. Operation should succeed
|
|
|
be9751 |
- 6. Operation should succeed
|
|
|
be9751 |
- 7. Operation should succeed
|
|
|
be9751 |
- 8. Operation should succeed
|
|
|
be9751 |
+ """Test for renaming target entry
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: 6be1d33a-7932-11e8-9115-8c16451d917b
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Create a test user entry
|
|
|
be9751 |
+ 3. Create a new ou entry with an aci
|
|
|
be9751 |
+ 4. Make sure uid=$MYUID has the access
|
|
|
be9751 |
+ 5. Rename ou=OU0 to ou=OU1
|
|
|
be9751 |
+ 6. Create another ou=OU2
|
|
|
be9751 |
+ 7. Move ou=OU1 under ou=OU2
|
|
|
be9751 |
+ 8. Make sure uid=$MYUID still has the access
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
+ 4. Operation should succeed
|
|
|
be9751 |
+ 5. Operation should succeed
|
|
|
be9751 |
+ 6. Operation should succeed
|
|
|
be9751 |
+ 7. Operation should succeed
|
|
|
be9751 |
+ 8. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
properties = {
|
|
|
be9751 |
'uid': 'TRAC340_MODRDN',
|
|
|
be9751 |
@@ -281,7 +281,7 @@ def test_renaming_target_entry(topo, _add_user, aci_of_user):
|
|
|
be9751 |
user.set("userPassword", "password")
|
|
|
be9751 |
ou = OrganizationalUnit(topo.standalone, 'ou=OU0,{}'.format(DEFAULT_SUFFIX))
|
|
|
be9751 |
ou.create(properties={'ou': 'OU0'})
|
|
|
be9751 |
- ou.set('aci', '(targetattr=*)(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'.format(TRAC340_MODRDN))
|
|
|
be9751 |
+ ou.set('aci', '(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'.format(TRAC340_MODRDN))
|
|
|
be9751 |
conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
|
|
|
be9751 |
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
|
|
|
be9751 |
# Test for renaming target entry
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/roledn_test.py b/dirsrvtests/tests/suites/acl/roledn_test.py
|
|
|
be9751 |
index 227ebd95f..6ccd652cf 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/roledn_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/roledn_test.py
|
|
|
be9751 |
@@ -78,10 +78,10 @@ def _add_user(request, topo):
|
|
|
be9751 |
f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; aci "or role aci"; allow(all) '
|
|
|
be9751 |
f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
|
|
|
be9751 |
- f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
|
|
|
be9751 |
+ f'(target="ldap:///{ALL_ACCESS}")(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; aci "anyone role aci"; allow(all) '
|
|
|
be9751 |
f'roledn = "ldap:///anyone";)',
|
|
|
be9751 |
- f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
|
|
|
be9751 |
+ f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; aci "not role aci"; allow(all)'
|
|
|
be9751 |
f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'])
|
|
|
be9751 |
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/selfdn_permissions_test.py b/dirsrvtests/tests/suites/acl/selfdn_permissions_test.py
|
|
|
be9751 |
index af7501338..dd506a786 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/selfdn_permissions_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/selfdn_permissions_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2016 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -90,8 +90,8 @@ def test_selfdn_permission_add(topology_st, allow_user_init):
|
|
|
be9751 |
|
|
|
be9751 |
:id: e837a9ef-be92-48da-ad8b-ebf42b0fede1
|
|
|
be9751 |
:setup: Standalone instance, add a entry which is used to bind,
|
|
|
be9751 |
- enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
- remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
+ enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
+ remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Check we can not ADD an entry without the proper SELFDN aci
|
|
|
be9751 |
2. Check with the proper ACI we can not ADD with 'member' attribute
|
|
|
be9751 |
@@ -191,8 +191,8 @@ def test_selfdn_permission_search(topology_st, allow_user_init):
|
|
|
be9751 |
|
|
|
be9751 |
:id: 06d51ef9-c675-4583-99b2-4852dbda190e
|
|
|
be9751 |
:setup: Standalone instance, add a entry which is used to bind,
|
|
|
be9751 |
- enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
- remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
+ enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
+ remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Check we can not search an entry without the proper SELFDN aci
|
|
|
be9751 |
2. Add proper ACI
|
|
|
be9751 |
@@ -217,7 +217,7 @@ def test_selfdn_permission_search(topology_st, allow_user_init):
|
|
|
be9751 |
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
be9751 |
|
|
|
be9751 |
ACI_TARGET = "(target = \"ldap:///cn=*,%s\")" % SUFFIX
|
|
|
be9751 |
- ACI_TARGETATTR = "(targetattr = *)"
|
|
|
be9751 |
+ ACI_TARGETATTR = '(targetattr="*")'
|
|
|
be9751 |
ACI_TARGETFILTER = "(targetfilter =\"(objectClass=%s)\")" % OC_NAME
|
|
|
be9751 |
ACI_ALLOW = "(version 3.0; acl \"SelfDN search-read\"; allow (read, search, compare)"
|
|
|
be9751 |
ACI_SUBJECT = " userattr = \"member#selfDN\";)"
|
|
|
be9751 |
@@ -241,8 +241,8 @@ def test_selfdn_permission_modify(topology_st, allow_user_init):
|
|
|
be9751 |
|
|
|
be9751 |
:id: 97a58844-095f-44b0-9029-dd29a7d83d68
|
|
|
be9751 |
:setup: Standalone instance, add a entry which is used to bind,
|
|
|
be9751 |
- enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
- remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
+ enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
+ remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Check we can not modify an entry without the proper SELFDN aci
|
|
|
be9751 |
2. Add proper ACI
|
|
|
be9751 |
@@ -272,7 +272,7 @@ def test_selfdn_permission_modify(topology_st, allow_user_init):
|
|
|
be9751 |
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
be9751 |
|
|
|
be9751 |
ACI_TARGET = "(target = \"ldap:///cn=*,%s\")" % SUFFIX
|
|
|
be9751 |
- ACI_TARGETATTR = "(targetattr = *)"
|
|
|
be9751 |
+ ACI_TARGETATTR = '(targetattr="*")'
|
|
|
be9751 |
ACI_TARGETFILTER = "(targetfilter =\"(objectClass=%s)\")" % OC_NAME
|
|
|
be9751 |
ACI_ALLOW = "(version 3.0; acl \"SelfDN write\"; allow (write)"
|
|
|
be9751 |
ACI_SUBJECT = " userattr = \"member#selfDN\";)"
|
|
|
be9751 |
@@ -300,8 +300,8 @@ def test_selfdn_permission_delete(topology_st, allow_user_init):
|
|
|
be9751 |
|
|
|
be9751 |
:id: 0ec4c0ec-e7b0-4ef1-8373-ab25aae34516
|
|
|
be9751 |
:setup: Standalone instance, add a entry which is used to bind,
|
|
|
be9751 |
- enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
- remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
+ enable acl error logging by setting 'nsslapd-errorlog-level' to '128',
|
|
|
be9751 |
+ remove aci's to start with a clean slate, and add dummy entries
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Check we can not delete an entry without the proper SELFDN aci
|
|
|
be9751 |
2. Add proper ACI
|
|
|
be9751 |
@@ -309,6 +309,7 @@ def test_selfdn_permission_delete(topology_st, allow_user_init):
|
|
|
be9751 |
:expectedresults:
|
|
|
be9751 |
1. Operation should be successful
|
|
|
be9751 |
2. Operation should be successful
|
|
|
be9751 |
+ 3. Operation should be successful
|
|
|
be9751 |
"""
|
|
|
be9751 |
topology_st.standalone.log.info("\n\n######################### DELETE ######################\n")
|
|
|
be9751 |
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/syntax_test.py b/dirsrvtests/tests/suites/acl/syntax_test.py
|
|
|
be9751 |
index c143ff7c9..b8f27480a 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/syntax_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/syntax_test.py
|
|
|
be9751 |
@@ -1,12 +1,10 @@
|
|
|
be9751 |
-"""
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
# See LICENSE for details.
|
|
|
be9751 |
# --- END COPYRIGHT BLOCK ----
|
|
|
be9751 |
-"""
|
|
|
be9751 |
|
|
|
be9751 |
import os
|
|
|
be9751 |
import pytest
|
|
|
be9751 |
@@ -74,66 +72,66 @@ INVALID = [('test_targattrfilters_1',
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_targattrfilters_19',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny(write)gropdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_targattrfilters_21',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny(rite)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_targattrfilters_22',
|
|
|
be9751 |
f'(targt = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_targattrfilters_23',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Missing_acl_mispel',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; alc "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Missing_acl_string',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Wrong_version_string',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 2.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Missing_version_string',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Authenticate_statement',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
f'(targetattr != "uid")'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; acl "Name of the ACI"; deny absolute (all)'
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; acl "Name of the ACI"; deny absolute (all)'
|
|
|
be9751 |
f'userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Multiple_targets',
|
|
|
be9751 |
f'(target = ldap:///ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(target = ldap:///ou=Product Testing,{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:///ou=Product Testing,{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Target_set_to_self',
|
|
|
be9751 |
- f'(target = ldap:///self)(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:///self)(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_target_set_with_ldap_instead_of_ldap',
|
|
|
be9751 |
- f'(target = ldap:\\\{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:\\\{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_target_set_with_more_than_three',
|
|
|
be9751 |
- f'(target = ldap:////{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:////{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_target_set_with_less_than_three',
|
|
|
be9751 |
- f'(target = ldap://{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap://{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_bind_rule_set_with_less_than_three',
|
|
|
be9751 |
- f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:/anyone";)'),
|
|
|
be9751 |
('test_Use_semicolon_instead_of_comma_in_permission',
|
|
|
be9751 |
- f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny '
|
|
|
be9751 |
f'(read; search; compare; write)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_Use_double_equal_instead_of_equal_in_the_target',
|
|
|
be9751 |
- f'(target == ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target == ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn="ldap:///anyone";)'),
|
|
|
be9751 |
('test_use_double_equal_instead_of_equal_in_user_and_group_access',
|
|
|
be9751 |
f'(target = ldap:///{DEFAULT_SUFFIX})'
|
|
|
be9751 |
@@ -143,21 +141,21 @@ INVALID = [('test_targattrfilters_1',
|
|
|
be9751 |
f'(target = ldap:///{DEFAULT_SUFFIX})'
|
|
|
be9751 |
f'(version 3.0; acl Name of the ACI ; deny absolute (all)userdn = "ldap:///anyone";)'),
|
|
|
be9751 |
('test_extra_parentheses_case_1',
|
|
|
be9751 |
- f'( )(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
|
|
|
be9751 |
+ f'( )(target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone";)'),
|
|
|
be9751 |
('test_extra_parentheses_case_2',
|
|
|
be9751 |
- f'(((((target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(((((target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)'
|
|
|
be9751 |
f'userdn == "ldap:///anyone";)'),
|
|
|
be9751 |
('test_extra_parentheses_case_3',
|
|
|
be9751 |
- f'(((target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
|
|
|
be9751 |
+ f'(((target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute '
|
|
|
be9751 |
f'(all)userdn = "ldap:///anyone";)))'),
|
|
|
be9751 |
('test_no_semicolon_at_the_end_of_the_aci',
|
|
|
be9751 |
- f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone")'),
|
|
|
be9751 |
('test_a_character_different_of_a_semicolon_at_the_end_of_the_aci',
|
|
|
be9751 |
- f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:///{DEFAULT_SUFFIX}) (targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)userdn = "ldap:///anyone"%)'),
|
|
|
be9751 |
('test_bad_filter',
|
|
|
be9751 |
f'(target = ldap:///{DEFAULT_SUFFIX}) '
|
|
|
be9751 |
@@ -173,14 +171,14 @@ INVALID = [('test_targattrfilters_1',
|
|
|
be9751 |
|
|
|
be9751 |
FAILED = [('test_targattrfilters_18',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny(write)userdn="ldap:///{"123" * 300}";)'),
|
|
|
be9751 |
('test_targattrfilters_20',
|
|
|
be9751 |
f'(target = ldap:///cn=Jeff Vedder,ou=Product Development,{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)'
|
|
|
be9751 |
+ f'(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny(write)userdns="ldap:///anyone";)'),
|
|
|
be9751 |
('test_bind_rule_set_with_more_than_three',
|
|
|
be9751 |
- f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'
|
|
|
be9751 |
+ f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'
|
|
|
be9751 |
f'(version 3.0; acl "Name of the ACI"; deny absolute (all)'
|
|
|
be9751 |
f'userdn="ldap:////////anyone";)'),
|
|
|
be9751 |
('test_Use_double_equal_instead_of_equal_in_the_targetattr',
|
|
|
be9751 |
@@ -253,7 +251,7 @@ def test_target_set_above_the_entry_test(topo):
|
|
|
be9751 |
domain = Domain(topo.standalone, "ou=People,{}".format(DEFAULT_SUFFIX))
|
|
|
be9751 |
with pytest.raises(ldap.INVALID_SYNTAX):
|
|
|
be9751 |
domain.add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
|
|
|
be9751 |
- f'(targetattr=*)(version 3.0; acl "Name of the ACI"; deny absolute '
|
|
|
be9751 |
+ f'(targetattr="*")(version 3.0; acl "Name of the ACI"; deny absolute '
|
|
|
be9751 |
f'(all)userdn="ldap:///anyone";)')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/userattr_test.py b/dirsrvtests/tests/suites/acl/userattr_test.py
|
|
|
be9751 |
index 542d7afc9..3a13d32dc 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/userattr_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/userattr_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -55,7 +55,7 @@ def _add_user(topo):
|
|
|
be9751 |
"""
|
|
|
be9751 |
This function will create user for the test and in the end entries will be deleted .
|
|
|
be9751 |
"""
|
|
|
be9751 |
- role_aci_body = '(targetattr=*)(version 3.0; aci "role aci"; allow(all)'
|
|
|
be9751 |
+ role_aci_body = '(targetattr="*")(version 3.0; aci "role aci"; allow(all)'
|
|
|
be9751 |
# Creating OUs
|
|
|
be9751 |
ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
ou_accounting = ous.create(properties={'ou': 'Accounting'})
|
|
|
be9751 |
@@ -77,7 +77,7 @@ def _add_user(topo):
|
|
|
be9751 |
'description': LEVEL_1,
|
|
|
be9751 |
'businessCategory': LEVEL_0})
|
|
|
be9751 |
|
|
|
be9751 |
- inheritance_aci_body = '(targetattr=*)(version 3.0; aci "Inheritance aci"; allow(all) '
|
|
|
be9751 |
+ inheritance_aci_body = '(targetattr="*")(version 3.0; aci "Inheritance aci"; allow(all) '
|
|
|
be9751 |
ou_inheritance.set('aci', [f'{inheritance_aci_body} '
|
|
|
be9751 |
f'userattr = "parent[0].businessCategory#USERDN";)',
|
|
|
be9751 |
f'{inheritance_aci_body} '
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/valueacl_part2_test.py b/dirsrvtests/tests/suites/acl/valueacl_part2_test.py
|
|
|
be9751 |
index 5f5b1c64e..763c0b5a2 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/valueacl_part2_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/valueacl_part2_test.py
|
|
|
be9751 |
@@ -28,6 +28,17 @@ HUMAN_OU_GLOBAL = "ou=Human Resources,{}".format(DEFAULT_SUFFIX)
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.fixture(scope="function")
|
|
|
be9751 |
def aci_of_user(request, topo):
|
|
|
be9751 |
+ # Add anonymous access aci
|
|
|
be9751 |
+ ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
|
|
|
be9751 |
+ ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
|
|
|
be9751 |
+ ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
|
|
|
be9751 |
+ ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
|
|
|
be9751 |
+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ try:
|
|
|
be9751 |
+ suffix.add('aci', ANON_ACI)
|
|
|
be9751 |
+ except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
be9751 |
+ pass
|
|
|
be9751 |
+
|
|
|
be9751 |
aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
|
|
|
be9751 |
|
|
|
be9751 |
def finofaci():
|
|
|
be9751 |
@@ -107,10 +118,10 @@ def _add_user(request, topo):
|
|
|
be9751 |
request.addfinalizer(fin)
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_we_can_search_as_expected(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
|
|
|
be9751 |
+def test_we_can_search_as_expected(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the attributes being added (or deleted))
|
|
|
be9751 |
Test that we can search as expected
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: e845dbba-7aa9-11e8-8988-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -124,8 +135,8 @@ def test_we_can_search_as_expected(topo, _add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(target="ldap:///cn=*,ou=Product Development, {}")' \
|
|
|
be9751 |
'(targetfilter="cn=Jeff*")(targetattr="secretary || objectclass || mail")' \
|
|
|
be9751 |
- '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
|
|
|
be9751 |
- 'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX)
|
|
|
be9751 |
+ '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "{}"; ' \
|
|
|
be9751 |
+ 'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX, request.node.name)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
conn = Anonymous(topo.standalone).bind()
|
|
|
be9751 |
# aci will allow secretary , mail , objectclass
|
|
|
be9751 |
@@ -135,11 +146,11 @@ def test_we_can_search_as_expected(topo, _add_user, aci_of_user):
|
|
|
be9751 |
assert user.get_attr_vals('objectclass')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_we_can_mod_title_as_expected(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the
|
|
|
be9751 |
+def test_we_can_mod_title_as_expected(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the
|
|
|
be9751 |
value of the attributes being added (or deleted))
|
|
|
be9751 |
- "Valueacl Test $tet_thistest Test search will work with targattrfilters present."
|
|
|
be9751 |
+ Test search will work with targattrfilters present.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: f8c1ea88-7aa9-11e8-a55c-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -153,8 +164,8 @@ def test_we_can_mod_title_as_expected(topo, _add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(target="ldap:///cn=*,ou=Product Development, {}")' \
|
|
|
be9751 |
'(targetfilter="cn=Jeff*")(targetattr="secretary || objectclass || mail")' \
|
|
|
be9751 |
- '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
|
|
|
be9751 |
- 'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX)
|
|
|
be9751 |
+ '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "{}"; ' \
|
|
|
be9751 |
+ 'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX, request.node.name)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
# aci will not allow 'title', 'topdog'
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -163,11 +174,11 @@ def test_we_can_mod_title_as_expected(topo, _add_user, aci_of_user):
|
|
|
be9751 |
user.add('title', 'topdog')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_modify_with_multiple_filters(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the
|
|
|
be9751 |
+def test_modify_with_multiple_filters(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the
|
|
|
be9751 |
value of the attributes being added (or deleted))
|
|
|
be9751 |
- "Valueacl Test $tet_thistest Allowed by multiple."
|
|
|
be9751 |
+ Allowed by multiple filters
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: fd9d223e-7aa9-11e8-a83b-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -181,9 +192,9 @@ def test_modify_with_multiple_filters(topo, _add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:' \
|
|
|
be9751 |
'(secretary=cn=Meylan,{}), del=title:(title=architect) && secretary:' \
|
|
|
be9751 |
- '(secretary=cn=Meylan,{})")(version 3.0; acl "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
+ '(secretary=cn=Meylan,{})")(version 3.0; acl "{}"; allow (write) ' \
|
|
|
be9751 |
'(userdn = "ldap:///anyone") ;)'.format(
|
|
|
be9751 |
- DEFAULT_SUFFIX, DEFAULT_SUFFIX
|
|
|
be9751 |
+ DEFAULT_SUFFIX, DEFAULT_SUFFIX, request.node.name
|
|
|
be9751 |
)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -195,11 +206,11 @@ def test_modify_with_multiple_filters(topo, _add_user, aci_of_user):
|
|
|
be9751 |
assert user.get_attr_val('secretary')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_denied_by_multiple_filters(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_denied_by_multiple_filters(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
- "Valueacl Test $tet_thistest Denied by multiple filters."
|
|
|
be9751 |
+ Denied by multiple filters
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 034c6c62-7aaa-11e8-8634-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -213,8 +224,8 @@ def test_denied_by_multiple_filters(topo, _add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:' \
|
|
|
be9751 |
'(secretary=cn=Meylan,{}), del=title:(title=architect) && secretary:' \
|
|
|
be9751 |
- '(secretary=cn=Meylan,{})")(version 3.0; acl "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
- '(userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ '(secretary=cn=Meylan,{})")(version 3.0; acl "{}"; allow (write) ' \
|
|
|
be9751 |
+ '(userdn = "ldap:///anyone") ;)'.format(DEFAULT_SUFFIX, DEFAULT_SUFFIX, request.node.name)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
# aci will allow title some attribute only
|
|
|
be9751 |
@@ -228,11 +239,11 @@ def test_denied_by_multiple_filters(topo, _add_user, aci_of_user):
|
|
|
be9751 |
user.add("secretary", "cn=Grenoble,dc=example,dc=com")
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allowed_add_one_attribute(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_allowed_add_one_attribute(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
- "Valueacl Test $tet_thistest Allowed add one attribute (in presence of multiple filters)"
|
|
|
be9751 |
+ Allowed add one attribute (in presence of multiple filters)
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 086c7f0c-7aaa-11e8-b69f-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -245,9 +256,9 @@ def test_allowed_add_one_attribute(topo, _add_user, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:(secretary=cn=Meylan, {}), ' \
|
|
|
be9751 |
- 'del=title:(title=architect) && secretary:(secretary=cn=Meylan, {})")(version 3.0; acl "$tet_thistest"; ' \
|
|
|
be9751 |
+ 'del=title:(title=architect) && secretary:(secretary=cn=Meylan, {})")(version 3.0; acl "{}"; ' \
|
|
|
be9751 |
'allow (write) (userdn = "ldap:///{}") ;)'.format(
|
|
|
be9751 |
- DEFAULT_SUFFIX, DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ DEFAULT_SUFFIX, DEFAULT_SUFFIX, request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
user = UserAccount(conn, USER_DELADD)
|
|
|
be9751 |
@@ -258,12 +269,12 @@ def test_allowed_add_one_attribute(topo, _add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
- "Valueacl Test $tet_thistest Test not allowed add an entry"
|
|
|
be9751 |
+ Test not allowed add an entry
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 0d0effee-7aaa-11e8-b673-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -277,8 +288,8 @@ def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add(
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)) ' \
|
|
|
be9751 |
'&& secretary:(secretary=cn=Meylan, {}), del=title:(|(title=engineer)(title=cool dude)' \
|
|
|
be9751 |
- '(title=scum))")(version 3.0; aci "$tet_thistest"; allow (add) userdn = "ldap:///{}";)'.format(
|
|
|
be9751 |
- DEFAULT_SUFFIX, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ '(title=scum))")(version 3.0; aci "{}"; allow (add) userdn = "ldap:///{}";)'.format(
|
|
|
be9751 |
+ DEFAULT_SUFFIX, request.node.name, DEFAULT_SUFFIX)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
properties = {
|
|
|
be9751 |
'uid': 'FRED',
|
|
|
be9751 |
@@ -298,11 +309,11 @@ def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add(
|
|
|
be9751 |
user.add("objectclass", "person")
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_on_modrdn(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_on_modrdn(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that valuacls kick in for modrdn operation.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 12985dde-7aaa-11e8-abde-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -315,8 +326,8 @@ def test_on_modrdn(topo, _add_user, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(target="ldap:///cn=*,ou=Accounting,{}")(targattrfilters = "add=cn:(|(cn=engineer)), ' \
|
|
|
be9751 |
- 'del=title:(|(title=engineer)(title=cool dude)(title=scum))")(version 3.0; aci "$tet_thistest"; ' \
|
|
|
be9751 |
- 'allow (write) userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ 'del=title:(|(title=engineer)(title=cool dude)(title=scum))")(version 3.0; aci "{}"; ' \
|
|
|
be9751 |
+ 'allow (write) userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
# modrdn_s is not allowed with ou=OU1
|
|
|
be9751 |
@@ -325,11 +336,11 @@ def test_on_modrdn(topo, _add_user, aci_of_user):
|
|
|
be9751 |
useraccount.rename("ou=OU1")
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_on_modrdn_allow(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the attributes being
|
|
|
be9751 |
+def test_on_modrdn_allow(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the attributes being
|
|
|
be9751 |
added (or deleted))
|
|
|
be9751 |
- "Valueacl Test $tet_thistest Test modrdn still works (2)"
|
|
|
be9751 |
+ Test modrdn still works (2)
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 17720562-7aaa-11e8-82ee-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -342,8 +353,8 @@ def test_on_modrdn_allow(topo, _add_user, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(target="ldap:///{}")(targattrfilters = "add=cn:((cn=engineer)), del=cn:((cn=jonny))")' \
|
|
|
be9751 |
- '(version 3.0; aci "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
- 'userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(version 3.0; aci "{}"; allow (write) ' \
|
|
|
be9751 |
+ 'userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
properties = {
|
|
|
be9751 |
'uid': 'jonny',
|
|
|
be9751 |
@@ -364,12 +375,12 @@ def test_on_modrdn_allow(topo, _add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz979515
|
|
|
be9751 |
def test_targattrfilters_keyword(topo):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value
|
|
|
be9751 |
of the attributes being added (or deleted))
|
|
|
be9751 |
"Bug #979515 - ACLs inoperative in some search scenarios [rhel-6.5]"
|
|
|
be9751 |
"Bug #979516 is a clone for DS8.2 on RHEL5.9"
|
|
|
be9751 |
"Bug #979514 is a clone for RHEL6.4 zStream errata"
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 23f9e9d0-7aaa-11e8-b16b-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/acl/valueacl_test.py b/dirsrvtests/tests/suites/acl/valueacl_test.py
|
|
|
be9751 |
index 54bc13452..3bbbdcabb 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/acl/valueacl_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/acl/valueacl_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -28,6 +28,17 @@ HUMAN_OU_GLOBAL = "ou=Human Resources,{}".format(DEFAULT_SUFFIX)
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.fixture(scope="function")
|
|
|
be9751 |
def aci_of_user(request, topo):
|
|
|
be9751 |
+ # Add anonymous access aci
|
|
|
be9751 |
+ ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
|
|
|
be9751 |
+ ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
|
|
|
be9751 |
+ ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
|
|
|
be9751 |
+ ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
|
|
|
be9751 |
+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ try:
|
|
|
be9751 |
+ suffix.add('aci', ANON_ACI)
|
|
|
be9751 |
+ except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
be9751 |
+ pass
|
|
|
be9751 |
+
|
|
|
be9751 |
aci_list = Domain(topo.standalone, DEFAULT_SUFFIX).get_attr_vals('aci')
|
|
|
be9751 |
|
|
|
be9751 |
def finofaci():
|
|
|
be9751 |
@@ -167,10 +178,10 @@ class _AddFREDWithRoot:
|
|
|
be9751 |
def test_delete_an_attribute_value_we_are_not_allowed_to_delete(
|
|
|
be9751 |
topo, _add_user, aci_of_user
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value
|
|
|
be9751 |
of the attributes being added (or deleted))
|
|
|
be9751 |
Test that we can MODIFY:add an attribute value we are allowed to add
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 7c41baa6-7aa9-11e8-9bdc-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -192,12 +203,12 @@ def test_delete_an_attribute_value_we_are_not_allowed_to_delete(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_donot_allow_write_access_to_title_if_value_is_not_architect(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that we cannot MODIFY:add an attribute value we are not allowed to add
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 822c607e-7aa9-11e8-b2e7-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -210,7 +221,7 @@ def test_donot_allow_write_access_to_title_if_value_is_not_architect(
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=architect), del=title:(title=architect)")' \
|
|
|
be9751 |
- '(version 3.0; acl "$tet_thistest"; allow (write) (userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(version 3.0; acl "{}"; allow (write) (userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
# aci will allow to add title architect
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -221,12 +232,12 @@ def test_donot_allow_write_access_to_title_if_value_is_not_architect(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_delete_an_attribute_value_we_are_allowed_to_delete(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
the attributes being added (or deleted))
|
|
|
be9751 |
- Test that we can MODIFY:delete an attribute value we are allowed to delete,
|
|
|
be9751 |
+ Test that we can MODIFY:delete an attribute value we are allowed to delete
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 86f36b34-7aa9-11e8-ab16-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -239,7 +250,7 @@ def test_delete_an_attribute_value_we_are_allowed_to_delete(
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=architect), del=title:(title=architect)")' \
|
|
|
be9751 |
- '(version 3.0; acl "$tet_thistest"; allow (write) (userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(version 3.0; acl "{}"; allow (write) (userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "architect").add()
|
|
|
be9751 |
# aci will allow to delete title architect
|
|
|
be9751 |
@@ -249,12 +260,12 @@ def test_delete_an_attribute_value_we_are_allowed_to_delete(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_delete_an_attribute_value_we_are_not_allowed_to_deleted(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
- Test that we cannot MODIFY:delete an attribute value we are allowed to delete,
|
|
|
be9751 |
+ Test that we cannot MODIFY:delete an attribute value we are allowed to delete
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 8c9f3a90-7aa9-11e8-bf2e-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -267,7 +278,7 @@ def test_delete_an_attribute_value_we_are_not_allowed_to_deleted(
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=architect), del=title:(title=architect)")' \
|
|
|
be9751 |
- '(version 3.0; acl "$tet_thistest"; allow (write) (userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(version 3.0; acl "{}"; allow (write) (userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "engineer").add()
|
|
|
be9751 |
# acl will not allow to delete title engineer
|
|
|
be9751 |
@@ -276,11 +287,11 @@ def test_delete_an_attribute_value_we_are_not_allowed_to_deleted(
|
|
|
be9751 |
_ModTitleArchitectJeffVedder(topo, "engineer", conn).delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_modify_replace(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_allow_modify_replace(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that we can MODIFY:replace an attribute if we have correct add/delete rights.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 9148a234-7aa9-11e8-a1f1-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -293,8 +304,8 @@ def test_allow_modify_replace(topo, _add_user, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=engineer), del=title:(|(title=architect)' \
|
|
|
be9751 |
- '(title=idiot))")(version 3.0; acl "$tet_thistest"; ' \
|
|
|
be9751 |
- 'allow (write) (userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(title=idiot))")(version 3.0; acl "{}"; ' \
|
|
|
be9751 |
+ 'allow (write) (userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "architect").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "idiot").add()
|
|
|
be9751 |
@@ -305,11 +316,11 @@ def test_allow_modify_replace(topo, _add_user, aci_of_user):
|
|
|
be9751 |
_ModTitleArchitectJeffVedder(topo, "engineer", conn).delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_modify_delete(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_allow_modify_delete(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
- "Valueacl Test $tet_thistest Don't Allow modify:replace because of lack of delete rights"
|
|
|
be9751 |
+ Don't Allow modify:replace because of lack of delete rights
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 962842d2-7aa9-11e8-b39e-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -322,8 +333,8 @@ def test_allow_modify_delete(topo, _add_user, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=engineer), del=title:(|(title=architect))")' \
|
|
|
be9751 |
- '(version 3.0; acl "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
- '(userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(version 3.0; acl "{}"; allow (write) ' \
|
|
|
be9751 |
+ '(userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "architect").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "idiot").add()
|
|
|
be9751 |
@@ -335,11 +346,11 @@ def test_allow_modify_delete(topo, _add_user, aci_of_user):
|
|
|
be9751 |
_ModTitleArchitectJeffVedder(topo, "idiot", conn).delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_replace_an_attribute_if_we_lack(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_replace_an_attribute_if_we_lack(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that we cannot MODIFY:replace an attribute if we lack
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 9b1e6afa-7aa9-11e8-ac5b-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -352,8 +363,8 @@ def test_replace_an_attribute_if_we_lack(topo, _add_user, aci_of_user):
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=engineer), del=title:(|(title=architect))")' \
|
|
|
be9751 |
- '(version 3.0; acl "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
- '(userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(version 3.0; acl "{}"; allow (write) ' \
|
|
|
be9751 |
+ '(userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "architect").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "idiot").add()
|
|
|
be9751 |
@@ -365,13 +376,13 @@ def test_replace_an_attribute_if_we_lack(topo, _add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_remove_an_attribute_if_we_have_del_rights_to_all_attr_value(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
- attributes being added (or deleted))
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ attributes being added (or deleted))
|
|
|
be9751 |
Test that we can use MODIFY:delete to entirely remove an attribute if we have del rights
|
|
|
be9751 |
to all attr values negative case tested next.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: a0c9e0c4-7aa9-11e8-8880-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -384,8 +395,8 @@ def test_remove_an_attribute_if_we_have_del_rights_to_all_attr_value(
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=engineer), del=title:(|(title=architect)' \
|
|
|
be9751 |
- '(title=idiot))")(version 3.0; acl "$tet_thistest"; allow (write)' \
|
|
|
be9751 |
- ' (userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(title=idiot))")(version 3.0; acl "{}"; allow (write)' \
|
|
|
be9751 |
+ ' (userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "architect").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "idiot").add()
|
|
|
be9751 |
@@ -395,13 +406,13 @@ def test_remove_an_attribute_if_we_have_del_rights_to_all_attr_value(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_remove_an_attribute_if_we_donot_have_del_rights_to_all_attr_value(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that we can use MODIFY:delete to entirely remove an attribute if we have not del
|
|
|
be9751 |
rights to all attr values
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: a6862eaa-7aa9-11e8-8bf9-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -414,8 +425,8 @@ def test_remove_an_attribute_if_we_donot_have_del_rights_to_all_attr_value(
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=engineer), del=title:(|(title=architect)' \
|
|
|
be9751 |
- '(title=idiot))")(version 3.0; acl "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
- '(userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(title=idiot))")(version 3.0; acl "{}"; allow (write) ' \
|
|
|
be9751 |
+ '(userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "architect").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "sailor").add()
|
|
|
be9751 |
@@ -426,12 +437,12 @@ def test_remove_an_attribute_if_we_donot_have_del_rights_to_all_attr_value(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_remove_an_attribute_if_we_have_del_rights_to_all_attr_values(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that we can use MODIFY:replace to entirely remove an attribute if we have del rights to all attr values
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: ab04c7e8-7aa9-11e8-84db-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -444,8 +455,8 @@ def test_remove_an_attribute_if_we_have_del_rights_to_all_attr_values(
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=engineer), del=title:(|(title=architect)' \
|
|
|
be9751 |
- '(title=idiot))")(version 3.0; acl "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
- '(userdn = "ldap:///{}") ;)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(title=idiot))")(version 3.0; acl "{}"; allow (write) ' \
|
|
|
be9751 |
+ '(userdn = "ldap:///{}") ;)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "architect").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "idiot").add()
|
|
|
be9751 |
@@ -455,12 +466,12 @@ def test_remove_an_attribute_if_we_have_del_rights_to_all_attr_values(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_cantnot_delete_an_entry_with_attribute_values_we_are_not_allowed_delete(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
the attributes being added (or deleted))
|
|
|
be9751 |
- Test we cannot DELETE an entry with attribute values we are not allowed delete,
|
|
|
be9751 |
+ Test we cannot DELETE an entry with attribute values we are not allowed delete
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: b525d94c-7aa9-11e8-8539-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -474,7 +485,7 @@ def test_cantnot_delete_an_entry_with_attribute_values_we_are_not_allowed_delete
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)), ' \
|
|
|
be9751 |
'del=title:(|(title=engineer)(title=cool dude)(title=scum))")(version 3.0; ' \
|
|
|
be9751 |
- 'aci "$tet_thistest"; allow (delete) userdn = "ldap:///{}";)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ 'aci "{}"; allow (delete) userdn = "ldap:///{}";)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddFREDWithRoot(topo, "engineer", "cool dude", "ANuj").create()
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -484,12 +495,12 @@ def test_cantnot_delete_an_entry_with_attribute_values_we_are_not_allowed_delete
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_we_can_add_and_delete_an_entry_with_attribute_values_we_are_allowed_add_and_delete(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test we can DELETE an entry with attribute values we are allowed delete
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: ba138e54-7aa9-11e8-8037-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -503,7 +514,7 @@ def test_we_can_add_and_delete_an_entry_with_attribute_values_we_are_allowed_add
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)), ' \
|
|
|
be9751 |
'del=title:(|(title=engineer)(title=cool dude)(title=scum))")(version 3.0; ' \
|
|
|
be9751 |
- 'aci "$tet_thistest"; allow (delete) userdn = "ldap:///{}";)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ 'aci "{}"; allow (delete) userdn = "ldap:///{}";)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddFREDWithRoot(topo, "engineer", "cool dude", "scum").create()
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -511,12 +522,12 @@ def test_we_can_add_and_delete_an_entry_with_attribute_values_we_are_allowed_add
|
|
|
be9751 |
UserAccount(conn, FRED).delete()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_title(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_allow_title(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that if attr appears in targetattr and in targattrfilters then targattrfilters
|
|
|
be9751 |
applies--ie. targattrfilters is a refinement of targattrfilters.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: beadf328-7aa9-11e8-bb08-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -530,8 +541,8 @@ def test_allow_title(topo, _add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targetattr="title")(targattrfilters = "add=title:(|(title=engineer)' \
|
|
|
be9751 |
'(title=cool dude)(title=scum)), del=title:(|(title=engineer)(title=cool dude)' \
|
|
|
be9751 |
- '(title=scum))")(version 3.0; aci "$tet_thistest"; allow (write) ' \
|
|
|
be9751 |
- 'userdn = "ldap:///{}";)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(title=scum))")(version 3.0; aci "{}"; allow (write) ' \
|
|
|
be9751 |
+ 'userdn = "ldap:///{}";)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "engineer").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "cool dude").add()
|
|
|
be9751 |
@@ -541,11 +552,11 @@ def test_allow_title(topo, _add_user, aci_of_user):
|
|
|
be9751 |
_ModTitleArchitectJeffVedder(topo, "topdog", conn).add()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_allow_to_modify(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+def test_allow_to_modify(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that I can have secretary in targetattr and title in targattrfilters.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: c32e4704-7aa9-11e8-951d-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -559,8 +570,8 @@ def test_allow_to_modify(topo, _add_user, aci_of_user):
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targetattr="secretary")(targattrfilters = "add=title:(|(title=engineer)' \
|
|
|
be9751 |
'(title=cool dude)(title=scum)), del=title:(|(title=engineer)(title=cool dude)' \
|
|
|
be9751 |
- '(title=scum))")(version 3.0; aci "$tet_thistest"; allow (write)' \
|
|
|
be9751 |
- ' userdn = "ldap:///{}";)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(title=scum))")(version 3.0; aci "{}"; allow (write)' \
|
|
|
be9751 |
+ ' userdn = "ldap:///{}";)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "engineer").add()
|
|
|
be9751 |
_AddTitleWithRoot(topo, "cool dude").add()
|
|
|
be9751 |
@@ -571,11 +582,11 @@ def test_allow_to_modify(topo, _add_user, aci_of_user):
|
|
|
be9751 |
assert user.get_attr_val('secretary')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_selfwrite_does_not_confer_write_on_a_targattrfilters_atribute(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
+def test_selfwrite_does_not_confer_write_on_a_targattrfilters_atribute(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
the attributes being added (or deleted))
|
|
|
be9751 |
Selfwrite does not confer "write" on a targattrfilters atribute.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: c7b9ec2e-7aa9-11e8-ba4a-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -589,7 +600,7 @@ def test_selfwrite_does_not_confer_write_on_a_targattrfilters_atribute(topo, _ad
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)), ' \
|
|
|
be9751 |
'del=title:(|(title=engineer)(title=cool dude)(title=scum))")(version 3.0; ' \
|
|
|
be9751 |
- 'aci "$tet_thistest"; allow (selfwrite) userdn = "ldap:///{}";)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ 'aci "{}"; allow (selfwrite) userdn = "ldap:///{}";)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
# aci will not allow to add selfwrite_does_not_confer_write_on_a_targattrfilters_atribute
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -598,12 +609,12 @@ def test_selfwrite_does_not_confer_write_on_a_targattrfilters_atribute(topo, _ad
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_selfwrite_continues_to_give_rights_to_attr_in_targetattr_list(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
the attributes being added (or deleted))
|
|
|
be9751 |
Selfwrite continues to give rights to attr in targetattr list.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: cd287680-7aa9-11e8-a8e2-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -617,8 +628,8 @@ def test_selfwrite_continues_to_give_rights_to_attr_in_targetattr_list(
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targetattr="secretary")(targattrfilters = "add=title:(|(title=engineer)' \
|
|
|
be9751 |
'(title=cool dude)(title=scum)), del=title:(|(title=engineer)(title=cool dude)' \
|
|
|
be9751 |
- '(title=scum))")(version 3.0; aci "$tet_thistest"; allow (selfwrite) ' \
|
|
|
be9751 |
- 'userdn = "ldap:///{}";)'.format(USER_WITH_ACI_DELADD)
|
|
|
be9751 |
+ '(title=scum))")(version 3.0; aci "{}"; allow (selfwrite) ' \
|
|
|
be9751 |
+ 'userdn = "ldap:///{}";)'.format(request.node.name, USER_WITH_ACI_DELADD)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
# selfwrite_continues_to_give_rights_to_attr_in_targetattr_list
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -627,12 +638,12 @@ def test_selfwrite_continues_to_give_rights_to_attr_in_targetattr_list(
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_add_an_attribute_value_we_are_allowed_to_add_with_ldapanyone(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that we can MODIFY:add an attribute value we are allowed to add with ldap:///anyone
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: d1e1d7ac-7aa9-11e8-b968-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -645,7 +656,7 @@ def test_add_an_attribute_value_we_are_allowed_to_add_with_ldapanyone(
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targattrfilters = "add=title:(title=architect), del=title:(title=architect)")' \
|
|
|
be9751 |
- '(version 3.0; acl "$tet_thistest"; allow (write) userdn = "ldap:///anyone";)'
|
|
|
be9751 |
+ '(version 3.0; acl "{}"; allow (write) userdn = "ldap:///anyone";)'.format(request.node.name)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "engineer").add()
|
|
|
be9751 |
# aci will allow to add title architect
|
|
|
be9751 |
@@ -653,12 +664,12 @@ def test_add_an_attribute_value_we_are_allowed_to_add_with_ldapanyone(
|
|
|
be9751 |
_ModTitleArchitectJeffVedder(topo, "architect", conn).add()
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-def test_hierarchy(topo, _add_user, aci_of_user):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
+def test_hierarchy(topo, _add_user, aci_of_user, request):
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
the attributes being added (or deleted))
|
|
|
be9751 |
Test that with two targattrfilters in the hierarchy that the general one applies.
|
|
|
be9751 |
- This is the correct behaviour, even if it's a bit
|
|
|
be9751 |
+ This is the correct behaviour, even if it's a bit confusing
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: d7ae354a-7aa9-11e8-8b0d-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -670,10 +681,10 @@ def test_hierarchy(topo, _add_user, aci_of_user):
|
|
|
be9751 |
2. Operation should succeed
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
- ACI_BODY = '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
|
|
|
be9751 |
- 'allow (write) (userdn = "ldap:///anyone") ;)'
|
|
|
be9751 |
+ ACI_BODY = '(targattrfilters = "add=title:(title=arch*)")(version 3.0; acl "{}"; ' \
|
|
|
be9751 |
+ 'allow (write) (userdn = "ldap:///anyone") ;)'.format(request.node.name)
|
|
|
be9751 |
ACI_BODY1 = '(targattrfilters = "add=title:(title=architect)")(version 3.0; ' \
|
|
|
be9751 |
- 'acl "$tet_thistest"; allow (write) (userdn = "ldap:///anyone") ;)'
|
|
|
be9751 |
+ 'acl "{}"; allow (write) (userdn = "ldap:///anyone") ;)'.format(request.node.name)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY1)
|
|
|
be9751 |
_AddTitleWithRoot(topo, "engineer").add()
|
|
|
be9751 |
@@ -686,12 +697,12 @@ def test_hierarchy(topo, _add_user, aci_of_user):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_expected(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of the
|
|
|
be9751 |
attributes being added (or deleted))
|
|
|
be9751 |
Test that we can have targattrfilters and search permissions and that ldapmodify works as expected.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: ddae7a22-7aa9-11e8-ad6b-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -704,8 +715,8 @@ def test_targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_exp
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targetattr="secretary || objectclass || mail")(targattrfilters = "add=title:' \
|
|
|
be9751 |
- '(title=arch*)")(version 3.0; acl "$tet_thistest"; ' \
|
|
|
be9751 |
- 'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'
|
|
|
be9751 |
+ '(title=arch*)")(version 3.0; acl "{}"; ' \
|
|
|
be9751 |
+ 'allow (write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(request.node.name)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
# aci will allow to add title architect
|
|
|
be9751 |
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
|
|
|
be9751 |
@@ -713,12 +724,12 @@ def test_targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_exp
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_expected_two(
|
|
|
be9751 |
- topo, _add_user, aci_of_user
|
|
|
be9751 |
+ topo, _add_user, aci_of_user, request
|
|
|
be9751 |
):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
+ """Testing the targattrfilters keyword that allows access control based on the value of
|
|
|
be9751 |
the attributes being added (or deleted))
|
|
|
be9751 |
Test that we can have targattrfilters and search permissions and that ldapsearch works as expected.
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: e25d116e-7aa9-11e8-81d8-8c16451d917b
|
|
|
be9751 |
:setup: server
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -731,8 +742,8 @@ def test_targattrfilters_and_search_permissions_and_that_ldapmodify_works_as_exp
|
|
|
be9751 |
3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
ACI_BODY = '(targetattr="secretary || objectclass || mail")(targattrfilters = ' \
|
|
|
be9751 |
- '"add=title:(title=arch*)")(version 3.0; acl "$tet_thistest"; allow ' \
|
|
|
be9751 |
- '(write,read,search,compare) (userdn = "ldap:///anyone") ;)'
|
|
|
be9751 |
+ '"add=title:(title=arch*)")(version 3.0; acl "{}"; allow ' \
|
|
|
be9751 |
+ '(write,read,search,compare) (userdn = "ldap:///anyone") ;)'.format(request.node.name)
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
|
|
|
be9751 |
conn = Anonymous(topo.standalone).bind()
|
|
|
be9751 |
user = UserAccount(conn, USER_DELADD)
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
|
|
|
be9751 |
index 02b73ee85..97908c31c 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/basic/basic_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/basic/basic_test.py
|
|
|
be9751 |
@@ -7,10 +7,6 @@
|
|
|
be9751 |
# --- END COPYRIGHT BLOCK ---
|
|
|
be9751 |
#
|
|
|
be9751 |
|
|
|
be9751 |
-"""
|
|
|
be9751 |
- :Requirement: Basic Directory Server Operations
|
|
|
be9751 |
-"""
|
|
|
be9751 |
-
|
|
|
be9751 |
from subprocess import check_output, PIPE, run
|
|
|
be9751 |
from lib389 import DirSrv
|
|
|
be9751 |
from lib389.idm.user import UserAccounts
|
|
|
be9751 |
@@ -255,11 +251,11 @@ def test_basic_import_export(topology_st, import_example_ldif):
|
|
|
be9751 |
"""
|
|
|
be9751 |
|
|
|
be9751 |
log.info('Running test_basic_import_export...')
|
|
|
be9751 |
-
|
|
|
be9751 |
#
|
|
|
be9751 |
# Test online/offline LDIF imports
|
|
|
be9751 |
#
|
|
|
be9751 |
topology_st.standalone.start()
|
|
|
be9751 |
+ # topology_st.standalone.config.set('nsslapd-errorlog-level', '1')
|
|
|
be9751 |
|
|
|
be9751 |
# Generate a test ldif (50k entries)
|
|
|
be9751 |
log.info("Generating LDIF...")
|
|
|
be9751 |
@@ -267,6 +263,7 @@ def test_basic_import_export(topology_st, import_example_ldif):
|
|
|
be9751 |
import_ldif = ldif_dir + '/basic_import.ldif'
|
|
|
be9751 |
dbgen_users(topology_st.standalone, 50000, import_ldif, DEFAULT_SUFFIX)
|
|
|
be9751 |
|
|
|
be9751 |
+
|
|
|
be9751 |
# Online
|
|
|
be9751 |
log.info("Importing LDIF online...")
|
|
|
be9751 |
import_task = ImportTask(topology_st.standalone)
|
|
|
be9751 |
@@ -937,7 +934,7 @@ def test_mod_def_rootdse_attr(topology_st, import_example_ldif, rootdse_attr):
|
|
|
be9751 |
:id: c7831e04-f458-4e23-83c7-b6f66109f639
|
|
|
be9751 |
:parametrized: yes
|
|
|
be9751 |
:setup: Standalone instance and we are using rootdse_attr fixture which
|
|
|
be9751 |
-adds nsslapd-return-default-opattr attr with value of one operation attribute.
|
|
|
be9751 |
+ adds nsslapd-return-default-opattr attr with value of one operation attribute.
|
|
|
be9751 |
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Make an ldapsearch for rootdse attribute
|
|
|
be9751 |
@@ -1003,7 +1000,7 @@ def test_basic_anonymous_search(topology_st, create_users):
|
|
|
be9751 |
@pytest.mark.bz915801
|
|
|
be9751 |
def test_search_original_type(topology_st, create_users):
|
|
|
be9751 |
"""Test ldapsearch returning original attributes
|
|
|
be9751 |
- using nsslapd-search-return-original-type-switch
|
|
|
be9751 |
+ using nsslapd-search-return-original-type-switch
|
|
|
be9751 |
|
|
|
be9751 |
:id: d7831d04-f558-4e50-93c7-b6f77109f640
|
|
|
be9751 |
:setup: Standalone instance
|
|
|
be9751 |
@@ -1095,7 +1092,7 @@ def test_critical_msg_on_empty_range_idl(topology_st):
|
|
|
be9751 |
:setup: Standalone instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Create an index for internationalISDNNumber. (attribute chosen because it is
|
|
|
be9751 |
- unlikely that previous tests used it)
|
|
|
be9751 |
+ unlikely that previous tests used it)
|
|
|
be9751 |
2. telephoneNumber being indexed by default create 20 users without telephoneNumber
|
|
|
be9751 |
3. add a telephoneNumber value and delete it to trigger an empty index database
|
|
|
be9751 |
4. Do a search that triggers a range lookup on empty telephoneNumber
|
|
|
be9751 |
@@ -1105,7 +1102,7 @@ def test_critical_msg_on_empty_range_idl(topology_st):
|
|
|
be9751 |
2. This should pass
|
|
|
be9751 |
3. This should pass
|
|
|
be9751 |
4. This should pass on normal build but could abort a debug build
|
|
|
be9751 |
- 4. This should pass
|
|
|
be9751 |
+ 5. This should pass
|
|
|
be9751 |
"""
|
|
|
be9751 |
indexedAttr = 'internationalISDNNumber'
|
|
|
be9751 |
|
|
|
be9751 |
@@ -1206,7 +1203,7 @@ def test_ldbm_modification_audit_log(topology_st):
|
|
|
be9751 |
assert conn.searchAuditLog('%s: %s' % (attr, VALUE))
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-@pytest.mark.skipif(not get_user_is_root() or not default_paths.perl_enabled or ds_is_older('1.4.0.0'),
|
|
|
be9751 |
+@pytest.mark.skipif(not get_user_is_root() or ds_is_older('1.4.0.0'),
|
|
|
be9751 |
reason="This test is only required if perl is enabled, and requires root.")
|
|
|
be9751 |
def test_dscreate(request):
|
|
|
be9751 |
"""Test that dscreate works, we need this for now until setup-ds.pl is
|
|
|
be9751 |
@@ -1356,7 +1353,7 @@ sample_entries = yes
|
|
|
be9751 |
return inst
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-@pytest.mark.skipif(not get_user_is_root() or not default_paths.perl_enabled or ds_is_older('1.4.2.0'),
|
|
|
be9751 |
+@pytest.mark.skipif(not get_user_is_root() or ds_is_older('1.4.2.0'),
|
|
|
be9751 |
reason="This test is only required with new admin cli, and requires root.")
|
|
|
be9751 |
@pytest.mark.bz1748016
|
|
|
be9751 |
@pytest.mark.ds50581
|
|
|
be9751 |
@@ -1367,7 +1364,7 @@ def test_dscreate_ldapi(dscreate_long_instance):
|
|
|
be9751 |
:id: 5d72d955-aff8-4741-8c9a-32c1c707cf1f
|
|
|
be9751 |
:setup: None
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
- 1. create an instance with a long serverId name, that open a ldapi connection
|
|
|
be9751 |
+ 1. Ccreate an instance with a long serverId name, that open a ldapi connection
|
|
|
be9751 |
2. Connect with ldapi, that hit 50581 and crash the instance
|
|
|
be9751 |
:expectedresults:
|
|
|
be9751 |
1. Should succeeds
|
|
|
be9751 |
@@ -1378,7 +1375,7 @@ def test_dscreate_ldapi(dscreate_long_instance):
|
|
|
be9751 |
log.info(root_dse.get_supported_ctrls())
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-@pytest.mark.skipif(not get_user_is_root() or not default_paths.perl_enabled or ds_is_older('1.4.2.0'),
|
|
|
be9751 |
+@pytest.mark.skipif(not get_user_is_root() or ds_is_older('1.4.2.0'),
|
|
|
be9751 |
reason="This test is only required with new admin cli, and requires root.")
|
|
|
be9751 |
@pytest.mark.bz1715406
|
|
|
be9751 |
@pytest.mark.ds50923
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/ds_logs/ds_logs_test.py b/dirsrvtests/tests/suites/ds_logs/ds_logs_test.py
|
|
|
be9751 |
index 94686f5f2..d67bcb13e 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/ds_logs/ds_logs_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/ds_logs/ds_logs_test.py
|
|
|
be9751 |
@@ -1,25 +1,26 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2015 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
# See LICENSE for details.
|
|
|
be9751 |
# --- END COPYRIGHT BLOCK ---
|
|
|
be9751 |
#
|
|
|
be9751 |
+from decimal import *
|
|
|
be9751 |
import os
|
|
|
be9751 |
import logging
|
|
|
be9751 |
import pytest
|
|
|
be9751 |
-import subprocess
|
|
|
be9751 |
from lib389._mapped_object import DSLdapObject
|
|
|
be9751 |
from lib389.topologies import topology_st
|
|
|
be9751 |
from lib389.plugins import AutoMembershipPlugin, ReferentialIntegrityPlugin, AutoMembershipDefinitions
|
|
|
be9751 |
from lib389.idm.user import UserAccounts
|
|
|
be9751 |
from lib389.idm.group import Groups
|
|
|
be9751 |
from lib389.idm.organizationalunit import OrganizationalUnits
|
|
|
be9751 |
-from lib389._constants import DEFAULT_SUFFIX, LOG_ACCESS_LEVEL, DN_CONFIG, HOST_STANDALONE, PORT_STANDALONE, DN_DM, PASSWORD
|
|
|
be9751 |
-from lib389.utils import ds_is_older
|
|
|
be9751 |
+from lib389._constants import DEFAULT_SUFFIX, LOG_ACCESS_LEVEL
|
|
|
be9751 |
+from lib389.utils import ds_is_older, ds_is_newer
|
|
|
be9751 |
import ldap
|
|
|
be9751 |
import glob
|
|
|
be9751 |
+import re
|
|
|
be9751 |
|
|
|
be9751 |
pytestmark = pytest.mark.tier1
|
|
|
be9751 |
|
|
|
be9751 |
@@ -30,7 +31,6 @@ PLUGIN_TIMESTAMP = 'nsslapd-logging-hr-timestamps-enabled'
|
|
|
be9751 |
PLUGIN_LOGGING = 'nsslapd-plugin-logging'
|
|
|
be9751 |
USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX
|
|
|
be9751 |
|
|
|
be9751 |
-
|
|
|
be9751 |
def add_users(topology_st, users_num):
|
|
|
be9751 |
users = UserAccounts(topology_st, DEFAULT_SUFFIX)
|
|
|
be9751 |
log.info('Adding %d users' % users_num)
|
|
|
be9751 |
@@ -161,6 +161,20 @@ def clean_access_logs(topology_st, request):
|
|
|
be9751 |
|
|
|
be9751 |
return clean_access_logs
|
|
|
be9751 |
|
|
|
be9751 |
+@pytest.fixture(scope="function")
|
|
|
be9751 |
+def remove_users(topology_st, request):
|
|
|
be9751 |
+ def _remove_users():
|
|
|
be9751 |
+ topo = topology_st.standalone
|
|
|
be9751 |
+ users = UserAccounts(topo, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ entries = users.list()
|
|
|
be9751 |
+ assert len(entries) > 0
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info("Removing all added users")
|
|
|
be9751 |
+ for entry in entries:
|
|
|
be9751 |
+ delete_obj(entry)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ request.addfinalizer(_remove_users)
|
|
|
be9751 |
+
|
|
|
be9751 |
|
|
|
be9751 |
def set_audit_log_config_values(topology_st, request, enabled, logsize):
|
|
|
be9751 |
topo = topology_st.standalone
|
|
|
be9751 |
@@ -181,6 +195,17 @@ def set_audit_log_config_values(topology_st, request, enabled, logsize):
|
|
|
be9751 |
def set_audit_log_config_values_to_rotate(topology_st, request):
|
|
|
be9751 |
set_audit_log_config_values(topology_st, request, 'on', '1')
|
|
|
be9751 |
|
|
|
be9751 |
+@pytest.fixture(scope="function")
|
|
|
be9751 |
+def disable_access_log_buffering(topology_st, request):
|
|
|
be9751 |
+ log.info('Disable access log buffering')
|
|
|
be9751 |
+ topology_st.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')
|
|
|
be9751 |
+ def fin():
|
|
|
be9751 |
+ log.info('Enable access log buffering')
|
|
|
be9751 |
+ topology_st.standalone.config.set('nsslapd-accesslog-logbuffering', 'on')
|
|
|
be9751 |
+
|
|
|
be9751 |
+ request.addfinalizer(fin)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ return disable_access_log_buffering
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz1273549
|
|
|
be9751 |
def test_check_default(topology_st):
|
|
|
be9751 |
@@ -226,11 +251,11 @@ def test_plugin_set_invalid(topology_st):
|
|
|
be9751 |
|
|
|
be9751 |
log.info('test_plugin_set_invalid - Expect to fail with junk value')
|
|
|
be9751 |
with pytest.raises(ldap.OPERATIONS_ERROR):
|
|
|
be9751 |
- result = topology_st.standalone.config.set(PLUGIN_TIMESTAMP, 'JUNK')
|
|
|
be9751 |
+ topology_st.standalone.config.set(PLUGIN_TIMESTAMP, 'JUNK')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz1273549
|
|
|
be9751 |
-def test_log_plugin_on(topology_st):
|
|
|
be9751 |
+def test_log_plugin_on(topology_st, remove_users):
|
|
|
be9751 |
"""Check access logs for millisecond, when
|
|
|
be9751 |
nsslapd-logging-hr-timestamps-enabled=ON
|
|
|
be9751 |
|
|
|
be9751 |
@@ -266,7 +291,7 @@ def test_log_plugin_on(topology_st):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.bz1273549
|
|
|
be9751 |
-def test_log_plugin_off(topology_st):
|
|
|
be9751 |
+def test_log_plugin_off(topology_st, remove_users):
|
|
|
be9751 |
"""Milliseconds should be absent from access logs when
|
|
|
be9751 |
nsslapd-logging-hr-timestamps-enabled=OFF
|
|
|
be9751 |
|
|
|
be9751 |
@@ -303,6 +328,7 @@ def test_log_plugin_off(topology_st):
|
|
|
be9751 |
topology_st.standalone.deleteAccessLogs()
|
|
|
be9751 |
|
|
|
be9751 |
# Now generate some fresh logs
|
|
|
be9751 |
+ add_users(topology_st.standalone, 10)
|
|
|
be9751 |
search_users(topology_st.standalone)
|
|
|
be9751 |
|
|
|
be9751 |
log.info('Restart the server to flush the logs')
|
|
|
be9751 |
@@ -317,8 +343,9 @@ def test_log_plugin_off(topology_st):
|
|
|
be9751 |
@pytest.mark.xfail(ds_is_older('1.4.0'), reason="May fail on 1.3.x because of bug 1358706")
|
|
|
be9751 |
@pytest.mark.bz1358706
|
|
|
be9751 |
@pytest.mark.ds49029
|
|
|
be9751 |
-def test_internal_log_server_level_0(topology_st, clean_access_logs):
|
|
|
be9751 |
+def test_internal_log_server_level_0(topology_st, clean_access_logs, disable_access_log_buffering):
|
|
|
be9751 |
"""Tests server-initiated internal operations
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 798d06fe-92e8-4648-af66-21349c20638e
|
|
|
be9751 |
:setup: Standalone instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
@@ -362,22 +389,23 @@ def test_internal_log_server_level_0(topology_st, clean_access_logs):
|
|
|
be9751 |
@pytest.mark.xfail(ds_is_older('1.4.0'), reason="May fail on 1.3.x because of bug 1358706")
|
|
|
be9751 |
@pytest.mark.bz1358706
|
|
|
be9751 |
@pytest.mark.ds49029
|
|
|
be9751 |
-def test_internal_log_server_level_4(topology_st, clean_access_logs):
|
|
|
be9751 |
+def test_internal_log_server_level_4(topology_st, clean_access_logs, disable_access_log_buffering):
|
|
|
be9751 |
"""Tests server-initiated internal operations
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: a3500e47-d941-4575-b399-e3f4b49bc4b6
|
|
|
be9751 |
:setup: Standalone instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Set nsslapd-plugin-logging to on
|
|
|
be9751 |
2. Configure access log level to only 4
|
|
|
be9751 |
3. Check the access logs, it should contain info about MOD operation of cn=config and other
|
|
|
be9751 |
- internal operations should have the conn field set to Internal
|
|
|
be9751 |
- and all values inside parenthesis set to 0.
|
|
|
be9751 |
+ internal operations should have the conn field set to Internal
|
|
|
be9751 |
+ and all values inside parenthesis set to 0.
|
|
|
be9751 |
:expectedresults:
|
|
|
be9751 |
1. Operation should be successful
|
|
|
be9751 |
2. Operation should be successful
|
|
|
be9751 |
3. Access log should contain correct internal log formats with cn=config modification:
|
|
|
be9751 |
- "(Internal) op=2(1)(1)"
|
|
|
be9751 |
- "conn=Internal(0)"
|
|
|
be9751 |
+ "(Internal) op=2(1)(1)"
|
|
|
be9751 |
+ "conn=Internal(0)"
|
|
|
be9751 |
"""
|
|
|
be9751 |
|
|
|
be9751 |
topo = topology_st.standalone
|
|
|
be9751 |
@@ -398,8 +426,8 @@ def test_internal_log_server_level_4(topology_st, clean_access_logs):
|
|
|
be9751 |
log.info("Check if access log contains internal MOD operation in correct format")
|
|
|
be9751 |
# (Internal) op=2(2)(1) SRCH base="cn=config
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="cn=config.*')
|
|
|
be9751 |
- # (Internal) op=2(2)(1) RESULT err=0 tag=48 nentries=1
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
|
|
|
be9751 |
+ # (Internal) op=2(2)(1) RESULT err=0 tag=48 nentries=
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=.*')
|
|
|
be9751 |
|
|
|
be9751 |
log.info("Check if the other internal operations have the correct format")
|
|
|
be9751 |
# conn=Internal(0) op=0
|
|
|
be9751 |
@@ -411,8 +439,9 @@ def test_internal_log_server_level_4(topology_st, clean_access_logs):
|
|
|
be9751 |
@pytest.mark.xfail(ds_is_older('1.4.0'), reason="May fail on 1.3.x because of bug 1358706")
|
|
|
be9751 |
@pytest.mark.bz1358706
|
|
|
be9751 |
@pytest.mark.ds49029
|
|
|
be9751 |
-def test_internal_log_level_260(topology_st, add_user_log_level_260):
|
|
|
be9751 |
+def test_internal_log_level_260(topology_st, add_user_log_level_260, disable_access_log_buffering):
|
|
|
be9751 |
"""Tests client initiated operations when automember plugin is enabled
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: e68a303e-c037-42b2-a5a0-fbea27c338a9
|
|
|
be9751 |
:setup: Standalone instance with internal operation
|
|
|
be9751 |
logging on and nsslapd-plugin-logging to on
|
|
|
be9751 |
@@ -465,9 +494,10 @@ def test_internal_log_level_260(topology_st, add_user_log_level_260):
|
|
|
be9751 |
# 'newrdn="uid=new_test_user_777" newsuperior="dc=example,dc=com"
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*op=[0-9]+ MODRDN dn="uid=test_user_777,ou=branch1,dc=example,dc=com" '
|
|
|
be9751 |
'newrdn="uid=new_test_user_777" newsuperior="dc=example,dc=com".*')
|
|
|
be9751 |
- # (Internal) op=12(1)(1) SRCH base="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=test_user_777,'
|
|
|
be9751 |
- 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
+ if ds_is_older(('1.4.3.9', '1.4.4.3')):
|
|
|
be9751 |
+ # (Internal) op=12(1)(1) SRCH base="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=test_user_777,'
|
|
|
be9751 |
+ 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
# (Internal) op=12(1)(1) RESULT err=0 tag=48 nentries=1
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
|
|
|
be9751 |
# op=12 RESULT err=0 tag=109
|
|
|
be9751 |
@@ -476,9 +506,10 @@ def test_internal_log_level_260(topology_st, add_user_log_level_260):
|
|
|
be9751 |
log.info("Check the access logs for DEL operation of the user")
|
|
|
be9751 |
# op=15 DEL dn="uid=new_test_user_777,dc=example,dc=com"
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*op=[0-9]+ DEL dn="uid=new_test_user_777,dc=example,dc=com".*')
|
|
|
be9751 |
- # (Internal) op=15(1)(1) SRCH base="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=new_test_user_777,'
|
|
|
be9751 |
- 'dc=example,dc=com".*')
|
|
|
be9751 |
+ if ds_is_older(('1.4.3.9', '1.4.4.3')):
|
|
|
be9751 |
+ # (Internal) op=15(1)(1) SRCH base="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=new_test_user_777,'
|
|
|
be9751 |
+ 'dc=example,dc=com".*')
|
|
|
be9751 |
# (Internal) op=15(1)(1) RESULT err=0 tag=48 nentries=1
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
|
|
|
be9751 |
# op=15 RESULT err=0 tag=107
|
|
|
be9751 |
@@ -492,8 +523,9 @@ def test_internal_log_level_260(topology_st, add_user_log_level_260):
|
|
|
be9751 |
@pytest.mark.xfail(ds_is_older('1.4.0'), reason="May fail on 1.3.x because of bug 1358706")
|
|
|
be9751 |
@pytest.mark.bz1358706
|
|
|
be9751 |
@pytest.mark.ds49029
|
|
|
be9751 |
-def test_internal_log_level_131076(topology_st, add_user_log_level_131076):
|
|
|
be9751 |
+def test_internal_log_level_131076(topology_st, add_user_log_level_131076, disable_access_log_buffering):
|
|
|
be9751 |
"""Tests client-initiated operations while referential integrity plugin is enabled
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: 44836ac9-dabd-4a8c-abd5-ecd7c2509739
|
|
|
be9751 |
:setup: Standalone instance
|
|
|
be9751 |
Configure access log level to - 131072 + 4
|
|
|
be9751 |
@@ -547,9 +579,10 @@ def test_internal_log_level_131076(topology_st, add_user_log_level_131076):
|
|
|
be9751 |
# 'newrdn="uid=new_test_user_777" newsuperior="dc=example,dc=com"
|
|
|
be9751 |
assert not topo.ds_access_log.match(r'.*op=[0-9]+ MODRDN dn="uid=test_user_777,ou=branch1,dc=example,dc=com" '
|
|
|
be9751 |
'newrdn="uid=new_test_user_777" newsuperior="dc=example,dc=com".*')
|
|
|
be9751 |
- # (Internal) op=12(1)(1) SRCH base="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=test_user_777,'
|
|
|
be9751 |
- 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
+ if ds_is_older(('1.4.3.9', '1.4.4.3')):
|
|
|
be9751 |
+ # (Internal) op=12(1)(1) SRCH base="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=test_user_777,'
|
|
|
be9751 |
+ 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
# (Internal) op=12(1)(1) RESULT err=0 tag=48 nentries=1
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
|
|
|
be9751 |
# op=12 RESULT err=0 tag=109
|
|
|
be9751 |
@@ -558,9 +591,10 @@ def test_internal_log_level_131076(topology_st, add_user_log_level_131076):
|
|
|
be9751 |
log.info("Check the access logs for DEL operation of the user")
|
|
|
be9751 |
# op=15 DEL dn="uid=new_test_user_777,dc=example,dc=com"
|
|
|
be9751 |
assert not topo.ds_access_log.match(r'.*op=[0-9]+ DEL dn="uid=new_test_user_777,dc=example,dc=com".*')
|
|
|
be9751 |
- # (Internal) op=15(1)(1) SRCH base="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=new_test_user_777,'
|
|
|
be9751 |
- 'dc=example,dc=com".*')
|
|
|
be9751 |
+ if ds_is_older(('1.4.3.9', '1.4.4.3')):
|
|
|
be9751 |
+ # (Internal) op=15(1)(1) SRCH base="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=new_test_user_777,'
|
|
|
be9751 |
+ 'dc=example,dc=com".*')
|
|
|
be9751 |
# (Internal) op=15(1)(1) RESULT err=0 tag=48 nentries=1
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
|
|
|
be9751 |
# op=15 RESULT err=0 tag=107
|
|
|
be9751 |
@@ -574,8 +608,9 @@ def test_internal_log_level_131076(topology_st, add_user_log_level_131076):
|
|
|
be9751 |
@pytest.mark.xfail(ds_is_older('1.4.0'), reason="May fail on 1.3.x because of bug 1358706")
|
|
|
be9751 |
@pytest.mark.bz1358706
|
|
|
be9751 |
@pytest.mark.ds49029
|
|
|
be9751 |
-def test_internal_log_level_516(topology_st, add_user_log_level_516):
|
|
|
be9751 |
+def test_internal_log_level_516(topology_st, add_user_log_level_516, disable_access_log_buffering):
|
|
|
be9751 |
"""Tests client initiated operations when referential integrity plugin is enabled
|
|
|
be9751 |
+
|
|
|
be9751 |
:id: bee1d681-763d-4fa5-aca2-569cf93f8b71
|
|
|
be9751 |
:setup: Standalone instance
|
|
|
be9751 |
Configure access log level to - 512+4
|
|
|
be9751 |
@@ -624,34 +659,34 @@ def test_internal_log_level_516(topology_st, add_user_log_level_516):
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1*')
|
|
|
be9751 |
# (Internal) op=10(1)(1) RESULT err=0 tag=48
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48.*')
|
|
|
be9751 |
- # op=10 RESULT err=0 tag=105
|
|
|
be9751 |
- assert not topo.ds_access_log.match(r'.*op=[0-9]+ RESULT err=0 tag=105.*')
|
|
|
be9751 |
|
|
|
be9751 |
log.info("Check the access logs for MOD operation of the user")
|
|
|
be9751 |
# op=12 MODRDN dn="uid=test_user_777,ou=branch1,dc=example,dc=com" '
|
|
|
be9751 |
# 'newrdn="uid=new_test_user_777" newsuperior="dc=example,dc=com"
|
|
|
be9751 |
assert not topo.ds_access_log.match(r'.*op=[0-9]+ MODRDN dn="uid=test_user_777,ou=branch1,dc=example,dc=com" '
|
|
|
be9751 |
'newrdn="uid=new_test_user_777" newsuperior="dc=example,dc=com".*')
|
|
|
be9751 |
- # Internal) op=12(1)(1) SRCH base="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=test_user_777,'
|
|
|
be9751 |
- 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
- # (Internal) op=12(1)(1) ENTRY dn="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) ENTRY dn="uid=test_user_777,'
|
|
|
be9751 |
- 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
+ if ds_is_older(('1.4.3.9', '1.4.4.3')):
|
|
|
be9751 |
+ # Internal) op=12(1)(1) SRCH base="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=test_user_777,'
|
|
|
be9751 |
+ 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
+ # (Internal) op=12(1)(1) ENTRY dn="uid=test_user_777, ou=branch1,dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) ENTRY dn="uid=test_user_777,'
|
|
|
be9751 |
+ 'ou=branch1,dc=example,dc=com".*')
|
|
|
be9751 |
# (Internal) op=12(1)(1) RESULT err=0 tag=48 nentries=1
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
|
|
|
be9751 |
- # op=12 RESULT err=0 tag=109
|
|
|
be9751 |
- assert not topo.ds_access_log.match(r'.*op=[0-9]+ RESULT err=0 tag=109.*')
|
|
|
be9751 |
+ # op=12 RESULT err=0 tag=48
|
|
|
be9751 |
+ assert not topo.ds_access_log.match(r'.*op=[0-9]+ RESULT err=0 tag=48.*')
|
|
|
be9751 |
|
|
|
be9751 |
log.info("Check the access logs for DEL operation of the user")
|
|
|
be9751 |
# op=15 DEL dn="uid=new_test_user_777,dc=example,dc=com"
|
|
|
be9751 |
assert not topo.ds_access_log.match(r'.*op=[0-9]+ DEL dn="uid=new_test_user_777,dc=example,dc=com".*')
|
|
|
be9751 |
- # (Internal) op=15(1)(1) SRCH base="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=new_test_user_777,'
|
|
|
be9751 |
- 'dc=example,dc=com".*')
|
|
|
be9751 |
- # (Internal) op=15(1)(1) ENTRY dn="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
- assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) ENTRY dn="uid=new_test_user_777,'
|
|
|
be9751 |
- 'dc=example,dc=com".*')
|
|
|
be9751 |
+ if ds_is_older(('1.4.3.9', '1.4.4.3')):
|
|
|
be9751 |
+ # (Internal) op=15(1)(1) SRCH base="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) SRCH base="uid=new_test_user_777,'
|
|
|
be9751 |
+ 'dc=example,dc=com".*')
|
|
|
be9751 |
+ # (Internal) op=15(1)(1) ENTRY dn="uid=new_test_user_777, dc=example,dc=com"
|
|
|
be9751 |
+ assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) ENTRY dn="uid=new_test_user_777,'
|
|
|
be9751 |
+ 'dc=example,dc=com".*')
|
|
|
be9751 |
# (Internal) op=15(1)(1) RESULT err=0 tag=48 nentries=1
|
|
|
be9751 |
assert topo.ds_access_log.match(r'.*\(Internal\) op=[0-9]+\([0-9]+\)\([0-9]+\) RESULT err=0 tag=48 nentries=1.*')
|
|
|
be9751 |
# op=15 RESULT err=0 tag=107
|
|
|
be9751 |
@@ -698,14 +733,13 @@ def test_access_log_truncated_search_message(topology_st, clean_access_logs):
|
|
|
be9751 |
assert not topo.ds_access_log.match(r'.*cn500.*')
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
-
|
|
|
be9751 |
+@pytest.mark.skipif(ds_is_newer("1.4.3"), reason="rsearch was removed")
|
|
|
be9751 |
@pytest.mark.xfail(ds_is_older('1.4.2.0'), reason="May fail because of bug 1732053")
|
|
|
be9751 |
@pytest.mark.bz1732053
|
|
|
be9751 |
@pytest.mark.ds50510
|
|
|
be9751 |
def test_etime_at_border_of_second(topology_st, clean_access_logs):
|
|
|
be9751 |
topo = topology_st.standalone
|
|
|
be9751 |
|
|
|
be9751 |
-
|
|
|
be9751 |
prog = os.path.join(topo.ds_paths.bin_dir, 'rsearch')
|
|
|
be9751 |
|
|
|
be9751 |
cmd = [prog]
|
|
|
be9751 |
@@ -741,11 +775,167 @@ def test_etime_at_border_of_second(topology_st, clean_access_logs):
|
|
|
be9751 |
assert not invalid_etime
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
+@pytest.mark.skipif(ds_is_older('1.3.10.1', '1.4.1'), reason="Fail because of bug 1749236")
|
|
|
be9751 |
+@pytest.mark.bz1749236
|
|
|
be9751 |
+def test_etime_order_of_magnitude(topology_st, clean_access_logs, remove_users, disable_access_log_buffering):
|
|
|
be9751 |
+ """Test that the etime reported in the access log has a correct order of magnitude
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: e815cfa0-8136-4932-b50f-c3dfac34b0e6
|
|
|
be9751 |
+ :setup: Standalone instance
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Unset log buffering for the access log
|
|
|
be9751 |
+ 2. Delete potential existing access logs
|
|
|
be9751 |
+ 3. Add users
|
|
|
be9751 |
+ 4. Search users
|
|
|
be9751 |
+ 5. Restart the server to flush the logs
|
|
|
be9751 |
+ 6. Parse the access log looking for the SRCH operation log
|
|
|
be9751 |
+ 7. From the SRCH string get the start time and op number of the operation
|
|
|
be9751 |
+ 8. From the op num find the associated RESULT string in the access log
|
|
|
be9751 |
+ 9. From the RESULT string get the end time and the etime for the operation
|
|
|
be9751 |
+ 10. Calculate the ratio between the calculated elapsed time (end time - start time) and the logged etime
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. access log buffering is off
|
|
|
be9751 |
+ 2. Previously existing access logs are deleted
|
|
|
be9751 |
+ 3. Users are successfully added
|
|
|
be9751 |
+ 4. Search operation is successful
|
|
|
be9751 |
+ 5. Server is restarted and logs are flushed
|
|
|
be9751 |
+ 6. SRCH operation log string is catched
|
|
|
be9751 |
+ 7. start time and op number are collected
|
|
|
be9751 |
+ 8. RESULT string is catched from the access log
|
|
|
be9751 |
+ 9. end time and etime are collected
|
|
|
be9751 |
+ 10. ratio between calculated elapsed time and logged etime is less or equal to 1
|
|
|
be9751 |
+ """
|
|
|
be9751 |
+
|
|
|
be9751 |
+ DSLdapObject(topology_st.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('add_users')
|
|
|
be9751 |
+ add_users(topology_st.standalone, 30)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info ('search users')
|
|
|
be9751 |
+ search_users(topology_st.standalone)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('parse the access logs to get the SRCH string')
|
|
|
be9751 |
+ # Here we are looking at the whole string logged for the search request with base ou=People,dc=example,dc=com
|
|
|
be9751 |
+ search_str = str(topology_st.standalone.ds_access_log.match(r'.*SRCH base="ou=People,dc=example,dc=com.*'))[1:-1]
|
|
|
be9751 |
+ assert len(search_str) > 0
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # the search_str returned looks like :
|
|
|
be9751 |
+ # [23/Apr/2020:06:06:14.360857624 -0400] conn=1 op=93 SRCH base="ou=People,dc=example,dc=com" scope=2 filter="(&(objectClass=account)(objectClass=posixaccount)(objectClass=inetOrgPerson)(objectClass=organizationalPerson))" attrs="distinguishedName"
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the operation start time from the SRCH string')
|
|
|
be9751 |
+ # Here we are getting the sec.nanosec part of the date, '14.360857624' in the example above
|
|
|
be9751 |
+ start_time = (search_str.split()[0]).split(':')[3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the OP number from the SRCH string')
|
|
|
be9751 |
+ # Here we are getting the op number, 'op=93' in the above example
|
|
|
be9751 |
+ op_num = search_str.split()[3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the RESULT string matching the SRCH OP number')
|
|
|
be9751 |
+ # Here we are looking at the RESULT string for the above search op, 'op=93' in this example
|
|
|
be9751 |
+ result_str = str(topology_st.standalone.ds_access_log.match(r'.*{} RESULT*'.format(op_num)))[1:-1]
|
|
|
be9751 |
+ assert len(result_str) > 0
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # The result_str returned looks like :
|
|
|
be9751 |
+ # For ds older than 1.4.3.8: [23/Apr/2020:06:06:14.366429900 -0400] conn=1 op=93 RESULT err=0 tag=101 nentries=30 etime=0.005723017
|
|
|
be9751 |
+ # For ds newer than 1.4.3.8: [21/Oct/2020:09:27:50.095209871 -0400] conn=1 op=96 RESULT err=0 tag=101 nentries=30 wtime=0.000412584 optime=0.005428971 etime=0.005836077
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the operation end time from the RESULT string')
|
|
|
be9751 |
+ # Here we are getting the sec.nanosec part of the date, '14.366429900' in the above example
|
|
|
be9751 |
+ end_time = (result_str.split()[0]).split(':')[3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the logged etime for the operation from the RESULT string')
|
|
|
be9751 |
+ # Here we are getting the etime value, '0.005723017' in the example above
|
|
|
be9751 |
+ if ds_is_older('1.4.3.8'):
|
|
|
be9751 |
+ etime = result_str.split()[8].split('=')[1][:-3]
|
|
|
be9751 |
+ else:
|
|
|
be9751 |
+ etime = result_str.split()[10].split('=')[1][:-3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('Calculate the ratio between logged etime for the operation and elapsed time from its start time to its end time - should be around 1')
|
|
|
be9751 |
+ etime_ratio = (Decimal(end_time) - Decimal(start_time)) // Decimal(etime)
|
|
|
be9751 |
+ assert etime_ratio <= 1
|
|
|
be9751 |
+
|
|
|
be9751 |
+
|
|
|
be9751 |
+@pytest.mark.skipif(ds_is_older('1.4.3.8'), reason="Fail because of bug 1850275")
|
|
|
be9751 |
+@pytest.mark.bz1850275
|
|
|
be9751 |
+def test_optime_and_wtime_keywords(topology_st, clean_access_logs, remove_users, disable_access_log_buffering):
|
|
|
be9751 |
+ """Test that the new optime and wtime keywords are present in the access log and have correct values
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: dfb4a49d-1cfc-400e-ba43-c107f58d62cf
|
|
|
be9751 |
+ :setup: Standalone instance
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Unset log buffering for the access log
|
|
|
be9751 |
+ 2. Delete potential existing access logs
|
|
|
be9751 |
+ 3. Add users
|
|
|
be9751 |
+ 4. Search users
|
|
|
be9751 |
+ 5. Parse the access log looking for the SRCH operation log
|
|
|
be9751 |
+ 6. From the SRCH string get the op number of the operation
|
|
|
be9751 |
+ 7. From the op num find the associated RESULT string in the access log
|
|
|
be9751 |
+ 8. Search for the wtime optime keywords in the RESULT string
|
|
|
be9751 |
+ 9. From the RESULT string get the wtime, optime and etime values for the operation
|
|
|
be9751 |
+ 10. Check that optime + wtime is approximatively etime
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. access log buffering is off
|
|
|
be9751 |
+ 2. Previously existing access logs are deleted
|
|
|
be9751 |
+ 3. Users are successfully added
|
|
|
be9751 |
+ 4. Search operation is successful
|
|
|
be9751 |
+ 5. SRCH operation log string is catched
|
|
|
be9751 |
+ 6. op number is collected
|
|
|
be9751 |
+ 7. RESULT string is catched from the access log
|
|
|
be9751 |
+ 8. wtime and optime keywords are collected
|
|
|
be9751 |
+ 9. wtime, optime and etime values are collected
|
|
|
be9751 |
+ 10. (optime + wtime) =~ etime
|
|
|
be9751 |
+ """
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('add_users')
|
|
|
be9751 |
+ add_users(topology_st.standalone, 30)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info ('search users')
|
|
|
be9751 |
+ search_users(topology_st.standalone)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('parse the access logs to get the SRCH string')
|
|
|
be9751 |
+ # Here we are looking at the whole string logged for the search request with base ou=People,dc=example,dc=com
|
|
|
be9751 |
+ search_str = str(topology_st.standalone.ds_access_log.match(r'.*SRCH base="ou=People,dc=example,dc=com.*'))[1:-1]
|
|
|
be9751 |
+ assert len(search_str) > 0
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # the search_str returned looks like :
|
|
|
be9751 |
+ # [22/Oct/2020:09:47:11.951316798 -0400] conn=1 op=96 SRCH base="ou=People,dc=example,dc=com" scope=2 filter="(&(objectClass=account)(objectClass=posixaccount)(objectClass=inetOrgPerson)(objectClass=organizationalPerson))" attrs="distinguishedName"
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the OP number from the SRCH string')
|
|
|
be9751 |
+ # Here we are getting the op number, 'op=96' in the above example
|
|
|
be9751 |
+ op_num = search_str.split()[3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the RESULT string matching the SRCH op number')
|
|
|
be9751 |
+ # Here we are looking at the RESULT string for the above search op, 'op=96' in this example
|
|
|
be9751 |
+ result_str = str(topology_st.standalone.ds_access_log.match(r'.*{} RESULT*'.format(op_num)))[1:-1]
|
|
|
be9751 |
+ assert len(result_str) > 0
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # The result_str returned looks like :
|
|
|
be9751 |
+ # [22/Oct/2020:09:47:11.963276018 -0400] conn=1 op=96 RESULT err=0 tag=101 nentries=30 wtime=0.000180294 optime=0.011966632 etime=0.012141311
|
|
|
be9751 |
+ log.info('Search for the wtime keyword in the RESULT string')
|
|
|
be9751 |
+ assert re.search('wtime', result_str)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the wtime value from the RESULT string')
|
|
|
be9751 |
+ wtime_value = result_str.split()[8].split('=')[1][:-3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('Search for the optime keyword in the RESULT string')
|
|
|
be9751 |
+ assert re.search('optime', result_str)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the optime value from the RESULT string')
|
|
|
be9751 |
+ optime_value = result_str.split()[9].split('=')[1][:-3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('get the etime value from the RESULT string')
|
|
|
be9751 |
+ etime_value = result_str.split()[10].split('=')[1][:-3]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ log.info('Check that (wtime + optime) is approximately equal to etime i.e. their ratio is 1')
|
|
|
be9751 |
+ etime_ratio = (Decimal(wtime_value) + Decimal(optime_value)) // Decimal(etime_value)
|
|
|
be9751 |
+ assert etime_ratio == 1
|
|
|
be9751 |
+
|
|
|
be9751 |
+
|
|
|
be9751 |
@pytest.mark.xfail(ds_is_older('1.3.10.1'), reason="May fail because of bug 1662461")
|
|
|
be9751 |
@pytest.mark.bz1662461
|
|
|
be9751 |
@pytest.mark.ds50428
|
|
|
be9751 |
@pytest.mark.ds49969
|
|
|
be9751 |
-def test_log_base_dn_when_invalid_attr_request(topology_st):
|
|
|
be9751 |
+def test_log_base_dn_when_invalid_attr_request(topology_st, disable_access_log_buffering):
|
|
|
be9751 |
"""Test that DS correctly logs the base dn when a search with invalid attribute request is performed
|
|
|
be9751 |
|
|
|
be9751 |
:id: 859de962-c261-4ffb-8705-97bceab1ba2c
|
|
|
be9751 |
@@ -753,7 +943,7 @@ def test_log_base_dn_when_invalid_attr_request(topology_st):
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Disable the accesslog-logbuffering config parameter
|
|
|
be9751 |
2. Delete the previous access log
|
|
|
be9751 |
- 3. Perform a base search on the DEFAULT_SUFFIX, using invalid "" "" attribute request
|
|
|
be9751 |
+ 3. Perform a base search on the DEFAULT_SUFFIX, using ten empty attribute requests
|
|
|
be9751 |
4. Check the access log file for 'invalid attribute request'
|
|
|
be9751 |
5. Check the access log file for 'SRCH base="\(null\)"'
|
|
|
be9751 |
6. Check the access log file for 'SRCH base="DEFAULT_SUFFIX"'
|
|
|
be9751 |
@@ -768,17 +958,14 @@ def test_log_base_dn_when_invalid_attr_request(topology_st):
|
|
|
be9751 |
|
|
|
be9751 |
entry = DSLdapObject(topology_st.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
|
|
|
be9751 |
- log.info('Set accesslog logbuffering to off to get the log in real time')
|
|
|
be9751 |
- topology_st.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')
|
|
|
be9751 |
-
|
|
|
be9751 |
log.info('delete the previous access logs to get a fresh new one')
|
|
|
be9751 |
topology_st.standalone.deleteAccessLogs()
|
|
|
be9751 |
|
|
|
be9751 |
log.info("Search the default suffix, with invalid '\"\" \"\"' attribute request")
|
|
|
be9751 |
- log.info("A Protocol error exception should be raised, see https://pagure.io/389-ds-base/issue/49969")
|
|
|
be9751 |
- # A ldap.PROTOCOL_ERROR exception is expected
|
|
|
be9751 |
+ log.info("A Protocol error exception should be raised, see https://github.com/389ds/389-ds-base/issues/3028")
|
|
|
be9751 |
+ # A ldap.PROTOCOL_ERROR exception is expected after 10 empty values
|
|
|
be9751 |
with pytest.raises(ldap.PROTOCOL_ERROR):
|
|
|
be9751 |
- assert entry.get_attrs_vals_utf8(['', ''])
|
|
|
be9751 |
+ assert entry.get_attrs_vals_utf8(['', '', '', '', '', '', '', '', '', '', ''])
|
|
|
be9751 |
|
|
|
be9751 |
# Search for appropriate messages in the access log
|
|
|
be9751 |
log.info('Check the access logs for correct messages')
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py b/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py
|
|
|
be9751 |
index db2be9f67..c882bea5f 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py
|
|
|
be9751 |
@@ -11,6 +11,7 @@ from lib389.tasks import *
|
|
|
be9751 |
from lib389.utils import *
|
|
|
be9751 |
from lib389.topologies import topology_st
|
|
|
be9751 |
from lib389.idm.user import UserAccounts
|
|
|
be9751 |
+from lib389.idm.domain import Domain
|
|
|
be9751 |
|
|
|
be9751 |
from lib389._constants import DN_DM, DEFAULT_SUFFIX, DN_CONFIG, PASSWORD
|
|
|
be9751 |
|
|
|
be9751 |
@@ -26,15 +27,15 @@ TEST_USER_PWD = 'all_attrs_test'
|
|
|
be9751 |
TEST_PARAMS = [(DN_ROOT, False, [
|
|
|
be9751 |
'aci', 'createTimestamp', 'creatorsName',
|
|
|
be9751 |
'modifiersName', 'modifyTimestamp', 'namingContexts',
|
|
|
be9751 |
- 'nsBackendSuffix', 'nsUniqueId', 'subschemaSubentry',
|
|
|
be9751 |
+ 'nsBackendSuffix', 'subschemaSubentry',
|
|
|
be9751 |
'supportedControl', 'supportedExtension',
|
|
|
be9751 |
'supportedFeatures', 'supportedLDAPVersion',
|
|
|
be9751 |
'supportedSASLMechanisms', 'vendorName', 'vendorVersion'
|
|
|
be9751 |
-]),
|
|
|
be9751 |
+ ]),
|
|
|
be9751 |
(DN_ROOT, True, [
|
|
|
be9751 |
'createTimestamp', 'creatorsName',
|
|
|
be9751 |
'modifiersName', 'modifyTimestamp', 'namingContexts',
|
|
|
be9751 |
- 'nsBackendSuffix', 'nsUniqueId', 'subschemaSubentry',
|
|
|
be9751 |
+ 'nsBackendSuffix', 'subschemaSubentry',
|
|
|
be9751 |
'supportedControl', 'supportedExtension',
|
|
|
be9751 |
'supportedFeatures', 'supportedLDAPVersion',
|
|
|
be9751 |
'supportedSASLMechanisms', 'vendorName', 'vendorVersion'
|
|
|
be9751 |
@@ -80,6 +81,18 @@ def create_user(topology_st):
|
|
|
be9751 |
'homeDirectory': '/home/test'
|
|
|
be9751 |
})
|
|
|
be9751 |
|
|
|
be9751 |
+ # Add anonymous access aci
|
|
|
be9751 |
+ ACI_TARGET = "(targetattr != \"userpassword || aci\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)
|
|
|
be9751 |
+ ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
|
|
|
be9751 |
+ ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
|
|
|
be9751 |
+ ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
|
|
|
be9751 |
+ suffix = Domain(topology_st.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ try:
|
|
|
be9751 |
+ suffix.add('aci', ANON_ACI)
|
|
|
be9751 |
+ except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
be9751 |
+ pass
|
|
|
be9751 |
+
|
|
|
be9751 |
+
|
|
|
be9751 |
@pytest.fixture(scope="module")
|
|
|
be9751 |
def user_aci(topology_st):
|
|
|
be9751 |
"""Don't allow modifiersName attribute for the test user
|
|
|
be9751 |
@@ -156,7 +169,9 @@ def test_search_basic(topology_st, create_user, user_aci, add_attr,
|
|
|
be9751 |
entries = topology_st.standalone.search_s(search_suffix, ldap.SCOPE_BASE,
|
|
|
be9751 |
'(objectclass=*)',
|
|
|
be9751 |
search_filter)
|
|
|
be9751 |
- found_attrs = entries[0].data.keys()
|
|
|
be9751 |
+ found_attrs = set(entries[0].data.keys())
|
|
|
be9751 |
+ if search_suffix == DN_ROOT and "nsUniqueId" in found_attrs:
|
|
|
be9751 |
+ found_attrs.remove("nsUniqueId")
|
|
|
be9751 |
|
|
|
be9751 |
if add_attr == '*':
|
|
|
be9751 |
assert set(expected_attrs) - set(found_attrs) == set()
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/mapping_tree/acceptance_test.py b/dirsrvtests/tests/suites/mapping_tree/acceptance_test.py
|
|
|
be9751 |
new file mode 100644
|
|
|
be9751 |
index 000000000..387c313ad
|
|
|
be9751 |
--- /dev/null
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/mapping_tree/acceptance_test.py
|
|
|
be9751 |
@@ -0,0 +1,65 @@
|
|
|
be9751 |
+# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
+# All rights reserved.
|
|
|
be9751 |
+#
|
|
|
be9751 |
+# License: GPL (version 3 or any later version).
|
|
|
be9751 |
+# See LICENSE for details.
|
|
|
be9751 |
+# --- END COPYRIGHT BLOCK ---
|
|
|
be9751 |
+#
|
|
|
be9751 |
+import ldap
|
|
|
be9751 |
+import logging
|
|
|
be9751 |
+import pytest
|
|
|
be9751 |
+import os
|
|
|
be9751 |
+from lib389._constants import *
|
|
|
be9751 |
+from lib389.topologies import topology_st as topo
|
|
|
be9751 |
+from lib389.mappingTree import MappingTrees
|
|
|
be9751 |
+
|
|
|
be9751 |
+DEBUGGING = os.getenv("DEBUGGING", default=False)
|
|
|
be9751 |
+if DEBUGGING:
|
|
|
be9751 |
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
be9751 |
+else:
|
|
|
be9751 |
+ logging.getLogger(__name__).setLevel(logging.INFO)
|
|
|
be9751 |
+log = logging.getLogger(__name__)
|
|
|
be9751 |
+
|
|
|
be9751 |
+
|
|
|
be9751 |
+def test_invalid_mt(topo):
|
|
|
be9751 |
+ """Test that you can not add a new suffix/mapping tree
|
|
|
be9751 |
+ that does not already have the backend entry created.
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: caabd407-f541-4695-b13f-8f92af1112a0
|
|
|
be9751 |
+ :setup: Standalone Instance
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Create a new suffix that specifies an existing backend which has a
|
|
|
be9751 |
+ different suffix.
|
|
|
be9751 |
+ 2. Create a suffix that has no backend entry at all.
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Should fail with UNWILLING_TO_PERFORM
|
|
|
be9751 |
+ 1. Should fail with UNWILLING_TO_PERFORM
|
|
|
be9751 |
+ """
|
|
|
be9751 |
+
|
|
|
be9751 |
+ bad_suffix = 'dc=does,dc=not,dc=exist'
|
|
|
be9751 |
+ mts = MappingTrees(topo.standalone)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ properties = {
|
|
|
be9751 |
+ 'cn': bad_suffix,
|
|
|
be9751 |
+ 'nsslapd-state': 'backend',
|
|
|
be9751 |
+ 'nsslapd-backend': 'userroot',
|
|
|
be9751 |
+ }
|
|
|
be9751 |
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
|
|
|
be9751 |
+ mts.create(properties=properties)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ properties = {
|
|
|
be9751 |
+ 'cn': bad_suffix,
|
|
|
be9751 |
+ 'nsslapd-state': 'backend',
|
|
|
be9751 |
+ 'nsslapd-backend': 'notCreatedRoot',
|
|
|
be9751 |
+ }
|
|
|
be9751 |
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
|
|
|
be9751 |
+ mts.create(properties=properties)
|
|
|
be9751 |
+
|
|
|
be9751 |
+
|
|
|
be9751 |
+if __name__ == '__main__':
|
|
|
be9751 |
+ # Run isolated
|
|
|
be9751 |
+ # -s for DEBUG mode
|
|
|
be9751 |
+ CURRENT_FILE = os.path.realpath(__file__)
|
|
|
be9751 |
+ pytest.main(["-s", CURRENT_FILE])
|
|
|
be9751 |
+
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/mapping_tree/be_del_and_default_naming_attr_test.py b/dirsrvtests/tests/suites/mapping_tree/be_del_and_default_naming_attr_test.py
|
|
|
be9751 |
index 34a2de2ad..c25d89cb0 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/mapping_tree/be_del_and_default_naming_attr_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/mapping_tree/be_del_and_default_naming_attr_test.py
|
|
|
be9751 |
@@ -6,6 +6,8 @@ from lib389.topologies import topology_m1 as topo
|
|
|
be9751 |
from lib389.backend import Backends
|
|
|
be9751 |
from lib389.encrypted_attributes import EncryptedAttrs
|
|
|
be9751 |
|
|
|
be9751 |
+pytestmark = pytest.mark.tier1
|
|
|
be9751 |
+
|
|
|
be9751 |
DEBUGGING = os.getenv("DEBUGGING", default=False)
|
|
|
be9751 |
if DEBUGGING:
|
|
|
be9751 |
logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
be9751 |
@@ -26,13 +28,13 @@ def test_be_delete(topo):
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
1. Create second backend/suffix
|
|
|
be9751 |
2. Add an encrypted attribute to the default suffix
|
|
|
be9751 |
- 2. Delete default suffix
|
|
|
be9751 |
- 3. Check the nsslapd-defaultnamingcontext is updated
|
|
|
be9751 |
- 4. Delete the last backend
|
|
|
be9751 |
- 5. Check the namingcontext has not changed
|
|
|
be9751 |
- 6. Add new backend
|
|
|
be9751 |
- 7. Set default naming context
|
|
|
be9751 |
- 8. Verify the naming context is correct
|
|
|
be9751 |
+ 3. Delete default suffix
|
|
|
be9751 |
+ 4. Check the nsslapd-defaultnamingcontext is updated
|
|
|
be9751 |
+ 5. Delete the last backend
|
|
|
be9751 |
+ 6. Check the namingcontext has not changed
|
|
|
be9751 |
+ 7. Add new backend
|
|
|
be9751 |
+ 8. Set default naming context
|
|
|
be9751 |
+ 9. Verify the naming context is correct
|
|
|
be9751 |
:expectedresults:
|
|
|
be9751 |
1. Success
|
|
|
be9751 |
2. Success
|
|
|
be9751 |
@@ -42,6 +44,7 @@ def test_be_delete(topo):
|
|
|
be9751 |
6. Success
|
|
|
be9751 |
7. Success
|
|
|
be9751 |
8. Success
|
|
|
be9751 |
+ 9. Success
|
|
|
be9751 |
"""
|
|
|
be9751 |
|
|
|
be9751 |
inst = topo.ms["master1"]
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py
|
|
|
be9751 |
index b37eff70f..882faf513 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py
|
|
|
be9751 |
@@ -99,6 +99,7 @@ def test_pwd_reset(topology_st, create_user):
|
|
|
be9751 |
# Reset user's password
|
|
|
be9751 |
our_user = UserAccount(topology_st.standalone, TEST_USER_DN)
|
|
|
be9751 |
our_user.replace('userpassword', PASSWORD)
|
|
|
be9751 |
+ time.sleep(.5)
|
|
|
be9751 |
|
|
|
be9751 |
# Check that pwdReset is TRUE
|
|
|
be9751 |
assert our_user.get_attr_val_utf8('pwdReset') == 'TRUE'
|
|
|
be9751 |
@@ -106,6 +107,7 @@ def test_pwd_reset(topology_st, create_user):
|
|
|
be9751 |
# Bind as user and change its own password
|
|
|
be9751 |
our_user.rebind(PASSWORD)
|
|
|
be9751 |
our_user.replace('userpassword', PASSWORD)
|
|
|
be9751 |
+ time.sleep(.5)
|
|
|
be9751 |
|
|
|
be9751 |
# Check that pwdReset is FALSE
|
|
|
be9751 |
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
|
|
|
be9751 |
@@ -114,6 +116,9 @@ def test_pwd_reset(topology_st, create_user):
|
|
|
be9751 |
# Reset password policy config
|
|
|
be9751 |
topology_st.standalone.config.replace('passwordMustChange', 'off')
|
|
|
be9751 |
|
|
|
be9751 |
+ # Reset user's password
|
|
|
be9751 |
+ our_user.replace('userpassword', TEST_USER_PWD)
|
|
|
be9751 |
+
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.parametrize('subtree_pwchange,user_pwchange,exception',
|
|
|
be9751 |
[('on', 'off', ldap.UNWILLING_TO_PERFORM),
|
|
|
be9751 |
@@ -171,7 +176,7 @@ def test_change_pwd(topology_st, create_user, password_policy,
|
|
|
be9751 |
user.reset_password('new_pass')
|
|
|
be9751 |
except ldap.LDAPError as e:
|
|
|
be9751 |
log.error('Failed to change userpassword for {}: error {}'.format(
|
|
|
be9751 |
- TEST_USER_DN, e.message['info']))
|
|
|
be9751 |
+ TEST_USER_DN, e.args[0['info']]))
|
|
|
be9751 |
raise e
|
|
|
be9751 |
finally:
|
|
|
be9751 |
log.info('Bind as DM')
|
|
|
be9751 |
@@ -245,7 +250,7 @@ def test_pwd_min_age(topology_st, create_user, password_policy):
|
|
|
be9751 |
user.reset_password(TEST_USER_PWD)
|
|
|
be9751 |
except ldap.LDAPError as e:
|
|
|
be9751 |
log.error('Failed to change userpassword for {}: error {}'.format(
|
|
|
be9751 |
- TEST_USER_DN, e.message['info']))
|
|
|
be9751 |
+ TEST_USER_DN, e.args[0]['info']))
|
|
|
be9751 |
raise e
|
|
|
be9751 |
finally:
|
|
|
be9751 |
log.info('Bind as DM')
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/replication/changelog_test.py b/dirsrvtests/tests/suites/replication/changelog_test.py
|
|
|
be9751 |
index e395f0e7c..66599286f 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/replication/changelog_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/replication/changelog_test.py
|
|
|
be9751 |
@@ -367,7 +367,7 @@ def test_dsconf_dump_changelog_files_removed(topo):
|
|
|
be9751 |
# primary condition before executing the core goal of this case : management of generated files.
|
|
|
be9751 |
|
|
|
be9751 |
log.info("Use dsconf dump-changelog with invalid parameters")
|
|
|
be9751 |
- cmdline=['python', '/usr/sbin/dsconf', instance_url, '-D', DN_DM, '-w', 'badpasswd', 'replication', 'dump-changelog']
|
|
|
be9751 |
+ cmdline=['/usr/sbin/dsconf', instance_url, '-D', DN_DM, '-w', 'badpasswd', 'replication', 'dump-changelog']
|
|
|
be9751 |
log.info('Command used : %s' % cmdline)
|
|
|
be9751 |
proc = subprocess.Popen(cmdline, stdout=subprocess.PIPE)
|
|
|
be9751 |
msg = proc.communicate()
|
|
|
be9751 |
@@ -377,7 +377,7 @@ def test_dsconf_dump_changelog_files_removed(topo):
|
|
|
be9751 |
# Now the core goal of the test case
|
|
|
be9751 |
# Using dsconf replication changelog without -l option
|
|
|
be9751 |
log.info('Use dsconf replication changelog without -l option: no generated ldif files should be present in %s ' % changelog_dir)
|
|
|
be9751 |
- cmdline=['python', '/usr/sbin/dsconf', instance_url, '-D', DN_DM, '-w', PASSWORD, 'replication', 'dump-changelog']
|
|
|
be9751 |
+ cmdline=['/usr/sbin/dsconf', instance_url, '-D', DN_DM, '-w', PASSWORD, 'replication', 'dump-changelog']
|
|
|
be9751 |
log.info('Command used : %s' % cmdline)
|
|
|
be9751 |
proc = subprocess.Popen(cmdline, stdout=subprocess.PIPE)
|
|
|
be9751 |
proc.communicate()
|
|
|
be9751 |
@@ -396,7 +396,7 @@ def test_dsconf_dump_changelog_files_removed(topo):
|
|
|
be9751 |
|
|
|
be9751 |
# Using dsconf replication changelog without -l option
|
|
|
be9751 |
log.info('Use dsconf replication changelog with -l option: generated ldif files should be kept in %s ' % changelog_dir)
|
|
|
be9751 |
- cmdline=['python', '/usr/sbin/dsconf', instance_url, '-D', DN_DM, '-w', PASSWORD, 'replication', 'dump-changelog', '-l']
|
|
|
be9751 |
+ cmdline=['/usr/sbin/dsconf', instance_url, '-D', DN_DM, '-w', PASSWORD, 'replication', 'dump-changelog', '-l']
|
|
|
be9751 |
log.info('Command used : %s' % cmdline)
|
|
|
be9751 |
proc = subprocess.Popen(cmdline, stdout=subprocess.PIPE)
|
|
|
be9751 |
proc.communicate()
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/replication/conflict_resolve_test.py b/dirsrvtests/tests/suites/replication/conflict_resolve_test.py
|
|
|
be9751 |
index 48d0067db..ea3eacc48 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/replication/conflict_resolve_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/replication/conflict_resolve_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2018 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -117,7 +117,7 @@ def _test_base(topology):
|
|
|
be9751 |
M1 = topology.ms["master1"]
|
|
|
be9751 |
|
|
|
be9751 |
conts = nsContainers(M1, SUFFIX)
|
|
|
be9751 |
- base_m2 = conts.create(properties={'cn': 'test_container'})
|
|
|
be9751 |
+ base_m2 = conts.ensure_state(properties={'cn': 'test_container'})
|
|
|
be9751 |
|
|
|
be9751 |
for inst in topology:
|
|
|
be9751 |
inst.config.loglevel([ErrorLog.DEFAULT, ErrorLog.REPLICA], service='error')
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/replication/rfc2307compat.py b/dirsrvtests/tests/suites/replication/rfc2307compat.py
|
|
|
be9751 |
new file mode 100644
|
|
|
be9751 |
index 000000000..ec98e9dac
|
|
|
be9751 |
--- /dev/null
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/replication/rfc2307compat.py
|
|
|
be9751 |
@@ -0,0 +1,174 @@
|
|
|
be9751 |
+# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 William Brown <william@blackhats.net.au>
|
|
|
be9751 |
+# All rights reserved.
|
|
|
be9751 |
+#
|
|
|
be9751 |
+# License: GPL (version 3 or any later version).
|
|
|
be9751 |
+# See LICENSE for details.
|
|
|
be9751 |
+# --- END COPYRIGHT BLOCK ---
|
|
|
be9751 |
+#
|
|
|
be9751 |
+import pytest
|
|
|
be9751 |
+from lib389.replica import Replicas
|
|
|
be9751 |
+from lib389.tasks import *
|
|
|
be9751 |
+from lib389.utils import *
|
|
|
be9751 |
+from lib389.topologies import topology_m2 as topo_m2
|
|
|
be9751 |
+from . import get_repl_entries
|
|
|
be9751 |
+from lib389.idm.user import UserAccount
|
|
|
be9751 |
+from lib389.replica import ReplicationManager
|
|
|
be9751 |
+from lib389._constants import *
|
|
|
be9751 |
+
|
|
|
be9751 |
+pytestmark = pytest.mark.tier0
|
|
|
be9751 |
+
|
|
|
be9751 |
+TEST_ENTRY_NAME = 'mmrepl_test'
|
|
|
be9751 |
+TEST_ENTRY_DN = 'uid={},{}'.format(TEST_ENTRY_NAME, DEFAULT_SUFFIX)
|
|
|
be9751 |
+NEW_SUFFIX_NAME = 'test_repl'
|
|
|
be9751 |
+NEW_SUFFIX = 'o={}'.format(NEW_SUFFIX_NAME)
|
|
|
be9751 |
+NEW_BACKEND = 'repl_base'
|
|
|
be9751 |
+
|
|
|
be9751 |
+DEBUGGING = os.getenv("DEBUGGING", default=False)
|
|
|
be9751 |
+if DEBUGGING:
|
|
|
be9751 |
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
|
|
|
be9751 |
+else:
|
|
|
be9751 |
+ logging.getLogger(__name__).setLevel(logging.INFO)
|
|
|
be9751 |
+log = logging.getLogger(__name__)
|
|
|
be9751 |
+
|
|
|
be9751 |
+pytest.mark.skipif(not os.environ.get('UNSAFE_ACK', False), reason="UNSAFE tests may damage system configuration.")
|
|
|
be9751 |
+def test_rfc2307compat(topo_m2):
|
|
|
be9751 |
+ """ Test to verify if 10rfc2307compat.ldif does not prevent replication of schema
|
|
|
be9751 |
+ - Create 2 masters and a test entry
|
|
|
be9751 |
+ - Move 10rfc2307compat.ldif to be private to M1
|
|
|
be9751 |
+ - Move 10rfc2307.ldif to be private to M2
|
|
|
be9751 |
+ - Add 'objectCategory' to the schema of M1
|
|
|
be9751 |
+ - Force a replication session
|
|
|
be9751 |
+ - Check 'objectCategory' on M1 and M2
|
|
|
be9751 |
+ """
|
|
|
be9751 |
+ m1 = topo_m2.ms["master1"]
|
|
|
be9751 |
+ m2 = topo_m2.ms["master2"]
|
|
|
be9751 |
+
|
|
|
be9751 |
+ m1.config.loglevel(vals=(ErrorLog.DEFAULT, ErrorLog.REPLICA))
|
|
|
be9751 |
+ m2.config.loglevel(vals=(ErrorLog.DEFAULT, ErrorLog.REPLICA))
|
|
|
be9751 |
+
|
|
|
be9751 |
+ m1.add_s(Entry((
|
|
|
be9751 |
+ TEST_ENTRY_DN, {
|
|
|
be9751 |
+ "objectClass": "top",
|
|
|
be9751 |
+ "objectClass": "extensibleObject",
|
|
|
be9751 |
+ 'uid': TEST_ENTRY_NAME,
|
|
|
be9751 |
+ 'cn': TEST_ENTRY_NAME,
|
|
|
be9751 |
+ 'sn': TEST_ENTRY_NAME,
|
|
|
be9751 |
+ }
|
|
|
be9751 |
+ )))
|
|
|
be9751 |
+
|
|
|
be9751 |
+ entries = get_repl_entries(topo_m2, TEST_ENTRY_NAME, ["uid"])
|
|
|
be9751 |
+ assert all(entries), "Entry {} wasn't replicated successfully".format(TEST_ENTRY_DN)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Clean the old locations (if any)
|
|
|
be9751 |
+ m1_temp_schema = os.path.join(m1.get_config_dir(), 'schema')
|
|
|
be9751 |
+ m2_temp_schema = os.path.join(m2.get_config_dir(), 'schema')
|
|
|
be9751 |
+ m1_schema = os.path.join(m1.get_data_dir(), 'dirsrv/schema')
|
|
|
be9751 |
+ m1_opt_schema = os.path.join(m1.get_data_dir(), 'dirsrv/data')
|
|
|
be9751 |
+ m1_temp_backup = os.path.join(m1.get_tmp_dir(), 'schema')
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Does the system schema exist?
|
|
|
be9751 |
+ if os.path.islink(m1_schema):
|
|
|
be9751 |
+ # Then we need to put the m1 schema back.
|
|
|
be9751 |
+ os.unlink(m1_schema)
|
|
|
be9751 |
+ shutil.copytree(m1_temp_backup, m1_schema)
|
|
|
be9751 |
+ if not os.path.exists(m1_temp_backup):
|
|
|
be9751 |
+ shutil.copytree(m1_schema, m1_temp_backup)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ shutil.rmtree(m1_temp_schema, ignore_errors=True)
|
|
|
be9751 |
+ shutil.rmtree(m2_temp_schema, ignore_errors=True)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Build a new copy
|
|
|
be9751 |
+ shutil.copytree(m1_schema, m1_temp_schema)
|
|
|
be9751 |
+ shutil.copytree(m1_schema, m2_temp_schema)
|
|
|
be9751 |
+ # Ensure 99user.ldif exists
|
|
|
be9751 |
+ with open(os.path.join(m1_temp_schema, '99user.ldif'), 'w') as f:
|
|
|
be9751 |
+ f.write('dn: cn=schema')
|
|
|
be9751 |
+
|
|
|
be9751 |
+ with open(os.path.join(m2_temp_schema, '99user.ldif'), 'w') as f:
|
|
|
be9751 |
+ f.write('dn: cn=schema')
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # m1 has compat, m2 has legacy.
|
|
|
be9751 |
+ os.unlink(os.path.join(m2_temp_schema, '10rfc2307compat.ldif'))
|
|
|
be9751 |
+ shutil.copy(os.path.join(m1_opt_schema, '10rfc2307.ldif'), m2_temp_schema)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Configure the instances
|
|
|
be9751 |
+ # m1.config.replace('nsslapd-schemadir', m1_temp_schema)
|
|
|
be9751 |
+ # m2.config.replace('nsslapd-schemadir', m2_temp_schema)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Now mark the system schema as empty.
|
|
|
be9751 |
+ shutil.rmtree(m1_schema)
|
|
|
be9751 |
+ os.symlink('/var/lib/empty', m1_schema)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ print("SETUP COMPLETE -->")
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Stop all instances
|
|
|
be9751 |
+ m1.stop()
|
|
|
be9751 |
+ m2.stop()
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # udpate the schema on M1 to tag a schemacsn
|
|
|
be9751 |
+ m1.start()
|
|
|
be9751 |
+ objectcategory_attr = '( NAME \'objectCategory\' DESC \'test of objectCategory\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )'
|
|
|
be9751 |
+ m1.schema.add_schema('attributetypes', [ensure_bytes(objectcategory_attr)])
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Now start M2 and trigger a replication M1->M2
|
|
|
be9751 |
+ m2.start()
|
|
|
be9751 |
+ m1.modify_s(TEST_ENTRY_DN, [(ldap.MOD_ADD, 'cn', [ensure_bytes('value_m1')])])
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Now check that objectCategory is in both schema
|
|
|
be9751 |
+ time.sleep(10)
|
|
|
be9751 |
+ ents = m1.search_s("cn=schema", ldap.SCOPE_SUBTREE, 'objectclass=*',['attributetypes'])
|
|
|
be9751 |
+ for value in ents[0].getValues('attributetypes'):
|
|
|
be9751 |
+ if ensure_bytes('objectCategory') in value:
|
|
|
be9751 |
+ log.info("M1: " + str(value))
|
|
|
be9751 |
+ break
|
|
|
be9751 |
+ assert ensure_bytes('objectCategory') in value
|
|
|
be9751 |
+
|
|
|
be9751 |
+ ents = m2.search_s("cn=schema", ldap.SCOPE_SUBTREE, 'objectclass=*',['attributetypes'])
|
|
|
be9751 |
+ for value in ents[0].getValues('attributetypes'):
|
|
|
be9751 |
+ if ensure_bytes('objectCategory') in value:
|
|
|
be9751 |
+ log.info("M2: " + str(value))
|
|
|
be9751 |
+ break
|
|
|
be9751 |
+ assert ensure_bytes('objectCategory') in value
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Stop m2
|
|
|
be9751 |
+ m2.stop()
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # "Update" it's schema,
|
|
|
be9751 |
+ os.unlink(os.path.join(m2_temp_schema, '10rfc2307.ldif'))
|
|
|
be9751 |
+ shutil.copy(os.path.join(m1_temp_backup, '10rfc2307compat.ldif'), m2_temp_schema)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Add some more to m1
|
|
|
be9751 |
+ objectcategory_attr = '( NAME \'objectCategoryX\' DESC \'test of objectCategoryX\' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )'
|
|
|
be9751 |
+ m1.schema.add_schema('attributetypes', [ensure_bytes(objectcategory_attr)])
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Start m2.
|
|
|
be9751 |
+ m2.start()
|
|
|
be9751 |
+ m1.modify_s(TEST_ENTRY_DN, [(ldap.MOD_ADD, 'cn', [ensure_bytes('value_m2')])])
|
|
|
be9751 |
+
|
|
|
be9751 |
+ time.sleep(10)
|
|
|
be9751 |
+ ents = m1.search_s("cn=schema", ldap.SCOPE_SUBTREE, 'objectclass=*',['attributetypes'])
|
|
|
be9751 |
+ for value in ents[0].getValues('attributetypes'):
|
|
|
be9751 |
+ if ensure_bytes('objectCategoryX') in value:
|
|
|
be9751 |
+ log.info("M1: " + str(value))
|
|
|
be9751 |
+ break
|
|
|
be9751 |
+ assert ensure_bytes('objectCategoryX') in value
|
|
|
be9751 |
+
|
|
|
be9751 |
+ ents = m2.search_s("cn=schema", ldap.SCOPE_SUBTREE, 'objectclass=*',['attributetypes'])
|
|
|
be9751 |
+ for value in ents[0].getValues('attributetypes'):
|
|
|
be9751 |
+ if ensure_bytes('objectCategoryX') in value:
|
|
|
be9751 |
+ log.info("M2: " + str(value))
|
|
|
be9751 |
+ break
|
|
|
be9751 |
+ assert ensure_bytes('objectCategoryX') in value
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Success cleanup
|
|
|
be9751 |
+ os.unlink(m1_schema)
|
|
|
be9751 |
+ shutil.copytree(m1_temp_backup, m1_schema)
|
|
|
be9751 |
+
|
|
|
be9751 |
+
|
|
|
be9751 |
+if __name__ == '__main__':
|
|
|
be9751 |
+ # Run isolated
|
|
|
be9751 |
+ # -s for DEBUG mode
|
|
|
be9751 |
+ CURRENT_FILE = os.path.realpath(__file__)
|
|
|
be9751 |
+ pytest.main("-s %s" % CURRENT_FILE)
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/roles/__init__.py b/dirsrvtests/tests/suites/roles/__init__.py
|
|
|
be9751 |
new file mode 100644
|
|
|
be9751 |
index 000000000..1981985fb
|
|
|
be9751 |
--- /dev/null
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/roles/__init__.py
|
|
|
be9751 |
@@ -0,0 +1,3 @@
|
|
|
be9751 |
+"""
|
|
|
be9751 |
+ :Requirement: 389-ds-base: Roles
|
|
|
be9751 |
+"""
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/roles/basic_test.py b/dirsrvtests/tests/suites/roles/basic_test.py
|
|
|
be9751 |
index 3f1b7568c..47a531794 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/roles/basic_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/roles/basic_test.py
|
|
|
be9751 |
@@ -1,5 +1,5 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2019 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
@@ -36,18 +36,19 @@ FILTERROLEENGROLE = "cn=FILTERROLEENGROLE,{}".format(DNBASE)
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_filterrole(topo):
|
|
|
be9751 |
- '''
|
|
|
be9751 |
- :id: 8ada4064-786b-11e8-8634-8c16451d917b
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. Search nsconsole role
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
- '''
|
|
|
be9751 |
+ """Test Filter Role
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: 8ada4064-786b-11e8-8634-8c16451d917b
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. Search nsconsole role
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
+ """
|
|
|
be9751 |
Organization(topo.standalone).create(properties={"o": "acivattr"}, basedn=DEFAULT_SUFFIX)
|
|
|
be9751 |
properties = {
|
|
|
be9751 |
'ou': 'eng',
|
|
|
be9751 |
@@ -137,18 +138,19 @@ def test_filterrole(topo):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_managedrole(topo):
|
|
|
be9751 |
- '''
|
|
|
be9751 |
- :id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
|
|
|
be9751 |
- :setup: server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. Search managed role entries
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
- '''
|
|
|
be9751 |
+ """Test Managed Role
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: d52a9c00-3bf6-11e9-9b7b-8c16451d917b
|
|
|
be9751 |
+ :setup: server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. Search managed role entries
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
+ """
|
|
|
be9751 |
# Create Managed role entry
|
|
|
be9751 |
roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
role = roles.create(properties={"cn": 'ROLE1'})
|
|
|
be9751 |
@@ -184,8 +186,12 @@ def test_managedrole(topo):
|
|
|
be9751 |
|
|
|
be9751 |
# Set an aci that will deny ROLE1 manage role
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
- add('aci', '(targetattr=*)(version 3.0; aci "role aci";'
|
|
|
be9751 |
+ add('aci', '(targetattr="*")(version 3.0; aci "role aci";'
|
|
|
be9751 |
' deny(all) roledn="ldap:///{}";)'.format(role.dn),)
|
|
|
be9751 |
+ # Add self user modification and anonymous aci
|
|
|
be9751 |
+ ANON_ACI = "(targetattr=\"*\")(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare) userdn = \"ldap:///anyone\";)"
|
|
|
be9751 |
+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
+ suffix.add('aci', ANON_ACI)
|
|
|
be9751 |
|
|
|
be9751 |
# Crate a connection with cn=Fail which is member of ROLE1
|
|
|
be9751 |
conn = UserAccount(topo.standalone, "uid=Fail,{}".format(DEFAULT_SUFFIX)).bind(PW_DM)
|
|
|
be9751 |
@@ -232,17 +238,18 @@ def _final(request, topo):
|
|
|
be9751 |
|
|
|
be9751 |
|
|
|
be9751 |
def test_nestedrole(topo, _final):
|
|
|
be9751 |
- """
|
|
|
be9751 |
- :id: 867b40c0-7fcf-4332-afc7-bd01025b77f2
|
|
|
be9751 |
- :setup: Standalone server
|
|
|
be9751 |
- :steps:
|
|
|
be9751 |
- 1. Add test entry
|
|
|
be9751 |
- 2. Add ACI
|
|
|
be9751 |
- 3. Search managed role entries
|
|
|
be9751 |
- :expectedresults:
|
|
|
be9751 |
- 1. Entry should be added
|
|
|
be9751 |
- 2. Operation should succeed
|
|
|
be9751 |
- 3. Operation should succeed
|
|
|
be9751 |
+ """Test Nested Role
|
|
|
be9751 |
+
|
|
|
be9751 |
+ :id: 867b40c0-7fcf-4332-afc7-bd01025b77f2
|
|
|
be9751 |
+ :setup: Standalone server
|
|
|
be9751 |
+ :steps:
|
|
|
be9751 |
+ 1. Add test entry
|
|
|
be9751 |
+ 2. Add ACI
|
|
|
be9751 |
+ 3. Search managed role entries
|
|
|
be9751 |
+ :expectedresults:
|
|
|
be9751 |
+ 1. Entry should be added
|
|
|
be9751 |
+ 2. Operation should succeed
|
|
|
be9751 |
+ 3. Operation should succeed
|
|
|
be9751 |
"""
|
|
|
be9751 |
# Create Managed role entry
|
|
|
be9751 |
managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
|
|
|
be9751 |
@@ -271,7 +278,7 @@ def test_nestedrole(topo, _final):
|
|
|
be9751 |
|
|
|
be9751 |
# Create a ACI with deny access to nested role entry
|
|
|
be9751 |
Domain(topo.standalone, DEFAULT_SUFFIX).\
|
|
|
be9751 |
- add('aci', f'(targetattr=*)(version 3.0; aci '
|
|
|
be9751 |
+ add('aci', f'(targetattr="*")(version 3.0; aci '
|
|
|
be9751 |
f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)')
|
|
|
be9751 |
|
|
|
be9751 |
# Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/sasl/regression_test.py b/dirsrvtests/tests/suites/sasl/regression_test.py
|
|
|
be9751 |
index 2db76ce98..58ff9a225 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/sasl/regression_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/sasl/regression_test.py
|
|
|
be9751 |
@@ -1,15 +1,14 @@
|
|
|
be9751 |
# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
-# Copyright (C) 2016 Red Hat, Inc.
|
|
|
be9751 |
+# Copyright (C) 2020 Red Hat, Inc.
|
|
|
be9751 |
# All rights reserved.
|
|
|
be9751 |
#
|
|
|
be9751 |
# License: GPL (version 3 or any later version).
|
|
|
be9751 |
# See LICENSE for details.
|
|
|
be9751 |
# --- END COPYRIGHT BLOCK ---
|
|
|
be9751 |
#
|
|
|
be9751 |
-import base64
|
|
|
be9751 |
+
|
|
|
be9751 |
import os
|
|
|
be9751 |
import pytest
|
|
|
be9751 |
-import subprocess
|
|
|
be9751 |
from lib389.tasks import *
|
|
|
be9751 |
from lib389.utils import *
|
|
|
be9751 |
from lib389.topologies import topology_m2
|
|
|
be9751 |
@@ -48,7 +47,7 @@ def check_pems(confdir, mycacert, myservercert, myserverkey, notexist):
|
|
|
be9751 |
log.info("\n######################### Check PEM files (%s, %s, %s)%s in %s ######################\n"
|
|
|
be9751 |
% (mycacert, myservercert, myserverkey, notexist, confdir))
|
|
|
be9751 |
global cacert
|
|
|
be9751 |
- cacert = '%s/%s.pem' % (confdir, mycacert)
|
|
|
be9751 |
+ cacert = f"{mycacert}.pem"
|
|
|
be9751 |
if os.path.isfile(cacert):
|
|
|
be9751 |
if notexist == "":
|
|
|
be9751 |
log.info('%s is successfully generated.' % cacert)
|
|
|
be9751 |
@@ -61,7 +60,7 @@ def check_pems(confdir, mycacert, myservercert, myserverkey, notexist):
|
|
|
be9751 |
assert False
|
|
|
be9751 |
else:
|
|
|
be9751 |
log.info('%s is correctly not generated.' % cacert)
|
|
|
be9751 |
- servercert = '%s/%s.pem' % (confdir, myservercert)
|
|
|
be9751 |
+ servercert = f"{myservercert}.pem"
|
|
|
be9751 |
if os.path.isfile(servercert):
|
|
|
be9751 |
if notexist == "":
|
|
|
be9751 |
log.info('%s is successfully generated.' % servercert)
|
|
|
be9751 |
@@ -74,7 +73,7 @@ def check_pems(confdir, mycacert, myservercert, myserverkey, notexist):
|
|
|
be9751 |
assert False
|
|
|
be9751 |
else:
|
|
|
be9751 |
log.info('%s is correctly not generated.' % servercert)
|
|
|
be9751 |
- serverkey = '%s/%s.pem' % (confdir, myserverkey)
|
|
|
be9751 |
+ serverkey = f"{myserverkey}.pem"
|
|
|
be9751 |
if os.path.isfile(serverkey):
|
|
|
be9751 |
if notexist == "":
|
|
|
be9751 |
log.info('%s is successfully generated.' % serverkey)
|
|
|
be9751 |
@@ -91,16 +90,16 @@ def check_pems(confdir, mycacert, myservercert, myserverkey, notexist):
|
|
|
be9751 |
|
|
|
be9751 |
def relocate_pem_files(topology_m2):
|
|
|
be9751 |
log.info("######################### Relocate PEM files on master1 ######################")
|
|
|
be9751 |
- mycacert = 'MyCA'
|
|
|
be9751 |
+ certdir_prefix = "/dev/shm"
|
|
|
be9751 |
+ mycacert = os.path.join(certdir_prefix, "MyCA")
|
|
|
be9751 |
topology_m2.ms["master1"].encryption.set('CACertExtractFile', mycacert)
|
|
|
be9751 |
- myservercert = 'MyServerCert1'
|
|
|
be9751 |
- myserverkey = 'MyServerKey1'
|
|
|
be9751 |
+ myservercert = os.path.join(certdir_prefix, "MyServerCert1")
|
|
|
be9751 |
+ myserverkey = os.path.join(certdir_prefix, "MyServerKey1")
|
|
|
be9751 |
topology_m2.ms["master1"].rsa.apply_mods([(ldap.MOD_REPLACE, 'ServerCertExtractFile', myservercert),
|
|
|
be9751 |
(ldap.MOD_REPLACE, 'ServerKeyExtractFile', myserverkey)])
|
|
|
be9751 |
log.info("##### restart master1")
|
|
|
be9751 |
topology_m2.ms["master1"].restart()
|
|
|
be9751 |
- m1confdir = topology_m2.ms["master1"].confdir
|
|
|
be9751 |
- check_pems(m1confdir, mycacert, myservercert, myserverkey, "")
|
|
|
be9751 |
+ check_pems(certdir_prefix, mycacert, myservercert, myserverkey, "")
|
|
|
be9751 |
|
|
|
be9751 |
@pytest.mark.ds47536
|
|
|
be9751 |
def test_openldap_no_nss_crypto(topology_m2):
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/syncrepl_plugin/__init__.py b/dirsrvtests/tests/suites/syncrepl_plugin/__init__.py
|
|
|
be9751 |
new file mode 100644
|
|
|
be9751 |
index 000000000..699d58f79
|
|
|
be9751 |
--- /dev/null
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/syncrepl_plugin/__init__.py
|
|
|
be9751 |
@@ -0,0 +1,163 @@
|
|
|
be9751 |
+# --- BEGIN COPYRIGHT BLOCK ---
|
|
|
be9751 |
+# Copyright (C) 2020 William Brown <william@blackhats.net.au>
|
|
|
be9751 |
+# All rights reserved.
|
|
|
be9751 |
+#
|
|
|
be9751 |
+# License: GPL (version 3 or any later version).
|
|
|
be9751 |
+# See LICENSE for details.
|
|
|
be9751 |
+# --- END COPYRIGHT BLOCK ---
|
|
|
be9751 |
+
|
|
|
be9751 |
+import logging
|
|
|
be9751 |
+import ldap
|
|
|
be9751 |
+import time
|
|
|
be9751 |
+from ldap.syncrepl import SyncreplConsumer
|
|
|
be9751 |
+import pytest
|
|
|
be9751 |
+from lib389 import DirSrv
|
|
|
be9751 |
+from lib389.idm.user import nsUserAccounts, UserAccounts
|
|
|
be9751 |
+from lib389.topologies import topology_st as topology
|
|
|
be9751 |
+from lib389.paths import Paths
|
|
|
be9751 |
+from lib389.utils import ds_is_older
|
|
|
be9751 |
+from lib389.plugins import RetroChangelogPlugin, ContentSynchronizationPlugin
|
|
|
be9751 |
+from lib389._constants import *
|
|
|
be9751 |
+
|
|
|
be9751 |
+log = logging.getLogger(__name__)
|
|
|
be9751 |
+
|
|
|
be9751 |
+class ISyncRepl(DirSrv, SyncreplConsumer):
|
|
|
be9751 |
+ """
|
|
|
be9751 |
+ This implements a test harness for checking syncrepl, and allowing us to check various actions or
|
|
|
be9751 |
+ behaviours. During a "run" it stores the results in it's instance, so that they can be inspected
|
|
|
be9751 |
+ later to ensure that syncrepl worked as expected.
|
|
|
be9751 |
+ """
|
|
|
be9751 |
+ def __init__(self, inst, openldap=False):
|
|
|
be9751 |
+ self.inst = inst
|
|
|
be9751 |
+ self.msgid = None
|
|
|
be9751 |
+
|
|
|
be9751 |
+ self.last_cookie = None
|
|
|
be9751 |
+ self.next_cookie = None
|
|
|
be9751 |
+ self.cookie = None
|
|
|
be9751 |
+ self.openldap = openldap
|
|
|
be9751 |
+ if self.openldap:
|
|
|
be9751 |
+ # In openldap mode, our initial cookie needs to be a rid.
|
|
|
be9751 |
+ self.cookie = "rid=123"
|
|
|
be9751 |
+ self.delete = []
|
|
|
be9751 |
+ self.present = []
|
|
|
be9751 |
+ self.entries = {}
|
|
|
be9751 |
+
|
|
|
be9751 |
+ super().__init__()
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def result4(self, *args, **kwargs):
|
|
|
be9751 |
+ return self.inst.result4(*args, **kwargs, escapehatch='i am sure')
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def search_ext(self, *args, **kwargs):
|
|
|
be9751 |
+ return self.inst.search_ext(*args, **kwargs, escapehatch='i am sure')
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_search(self, base=DEFAULT_SUFFIX, scope=ldap.SCOPE_SUBTREE, mode='refreshOnly', cookie=None, **search_args):
|
|
|
be9751 |
+ # Wipe the last result set.
|
|
|
be9751 |
+ self.delete = []
|
|
|
be9751 |
+ self.present = []
|
|
|
be9751 |
+ self.entries = {}
|
|
|
be9751 |
+ self.next_cookie = None
|
|
|
be9751 |
+ # Start the sync
|
|
|
be9751 |
+ # If cookie is none, will call "get_cookie" we have.
|
|
|
be9751 |
+ self.msgid = super().syncrepl_search(base, scope, mode, cookie, **search_args)
|
|
|
be9751 |
+ log.debug(f'syncrepl_search -> {self.msgid}')
|
|
|
be9751 |
+ assert self.msgid is not None
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_complete(self):
|
|
|
be9751 |
+ log.debug(f'syncrepl_complete -> {self.msgid}')
|
|
|
be9751 |
+ assert self.msgid is not None
|
|
|
be9751 |
+ # Loop until the operation is complete.
|
|
|
be9751 |
+ while super().syncrepl_poll(msgid=self.msgid) is True:
|
|
|
be9751 |
+ pass
|
|
|
be9751 |
+ assert self.next_cookie is not None
|
|
|
be9751 |
+ self.last_cookie = self.cookie
|
|
|
be9751 |
+ self.cookie = self.next_cookie
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def check_cookie(self):
|
|
|
be9751 |
+ assert self.last_cookie != self.cookie
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_set_cookie(self, cookie):
|
|
|
be9751 |
+ log.debug(f'set_cookie -> {cookie}')
|
|
|
be9751 |
+ if self.openldap:
|
|
|
be9751 |
+ assert self.cookie.startswith("rid=123")
|
|
|
be9751 |
+ self.next_cookie = cookie
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_get_cookie(self):
|
|
|
be9751 |
+ log.debug('get_cookie -> %s' % self.cookie)
|
|
|
be9751 |
+ if self.openldap:
|
|
|
be9751 |
+ assert self.cookie.startswith("rid=123")
|
|
|
be9751 |
+ return self.cookie
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_present(self, uuids, refreshDeletes=False):
|
|
|
be9751 |
+ log.debug(f'=====> refdel -> {refreshDeletes} uuids -> {uuids}')
|
|
|
be9751 |
+ if uuids is not None:
|
|
|
be9751 |
+ self.present = self.present + uuids
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_delete(self, uuids):
|
|
|
be9751 |
+ log.debug(f'delete -> {uuids}')
|
|
|
be9751 |
+ self.delete = uuids
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_entry(self, dn, attrs, uuid):
|
|
|
be9751 |
+ log.debug(f'entry -> {dn}')
|
|
|
be9751 |
+ self.entries[dn] = (uuid, attrs)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ def syncrepl_refreshdone(self):
|
|
|
be9751 |
+ log.debug('refreshdone')
|
|
|
be9751 |
+
|
|
|
be9751 |
+def syncstate_assert(st, sync):
|
|
|
be9751 |
+ # How many entries do we have?
|
|
|
be9751 |
+ r = st.search_ext_s(
|
|
|
be9751 |
+ base=DEFAULT_SUFFIX,
|
|
|
be9751 |
+ scope=ldap.SCOPE_SUBTREE,
|
|
|
be9751 |
+ filterstr='(objectClass=*)',
|
|
|
be9751 |
+ attrsonly=1,
|
|
|
be9751 |
+ escapehatch='i am sure'
|
|
|
be9751 |
+ )
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Initial sync
|
|
|
be9751 |
+ log.debug("*test* initial")
|
|
|
be9751 |
+ sync.syncrepl_search()
|
|
|
be9751 |
+ sync.syncrepl_complete()
|
|
|
be9751 |
+ # check we caught them all
|
|
|
be9751 |
+ assert len(r) == len(sync.entries.keys())
|
|
|
be9751 |
+ assert len(r) == len(sync.present)
|
|
|
be9751 |
+ assert 0 == len(sync.delete)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Add a new entry
|
|
|
be9751 |
+
|
|
|
be9751 |
+ account = nsUserAccounts(st, DEFAULT_SUFFIX).create_test_user()
|
|
|
be9751 |
+ # Check
|
|
|
be9751 |
+ log.debug("*test* add")
|
|
|
be9751 |
+ sync.syncrepl_search()
|
|
|
be9751 |
+ sync.syncrepl_complete()
|
|
|
be9751 |
+ sync.check_cookie()
|
|
|
be9751 |
+ assert 1 == len(sync.entries.keys())
|
|
|
be9751 |
+ assert 1 == len(sync.present)
|
|
|
be9751 |
+ assert 0 == len(sync.delete)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Mod
|
|
|
be9751 |
+ account.replace('description', 'change')
|
|
|
be9751 |
+ # Check
|
|
|
be9751 |
+ log.debug("*test* mod")
|
|
|
be9751 |
+ sync.syncrepl_search()
|
|
|
be9751 |
+ sync.syncrepl_complete()
|
|
|
be9751 |
+ sync.check_cookie()
|
|
|
be9751 |
+ assert 1 == len(sync.entries.keys())
|
|
|
be9751 |
+ assert 1 == len(sync.present)
|
|
|
be9751 |
+ assert 0 == len(sync.delete)
|
|
|
be9751 |
+
|
|
|
be9751 |
+ ## Delete
|
|
|
be9751 |
+ account.delete()
|
|
|
be9751 |
+
|
|
|
be9751 |
+ # Check
|
|
|
be9751 |
+ log.debug("*test* del")
|
|
|
be9751 |
+ sync.syncrepl_search()
|
|
|
be9751 |
+ sync.syncrepl_complete()
|
|
|
be9751 |
+ # In a delete, the cookie isn't updated (?)
|
|
|
be9751 |
+ sync.check_cookie()
|
|
|
be9751 |
+ log.debug(f'{sync.entries.keys()}')
|
|
|
be9751 |
+ log.debug(f'{sync.present}')
|
|
|
be9751 |
+ log.debug(f'{sync.delete}')
|
|
|
be9751 |
+ assert 0 == len(sync.entries.keys())
|
|
|
be9751 |
+ assert 0 == len(sync.present)
|
|
|
be9751 |
+ assert 1 == len(sync.delete)
|
|
|
be9751 |
+
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
|
|
|
be9751 |
index 7b35537d5..64b7425a5 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
|
|
|
be9751 |
@@ -20,7 +20,7 @@ from lib389.idm.group import Groups
|
|
|
be9751 |
from lib389.topologies import topology_st as topology
|
|
|
be9751 |
from lib389.paths import Paths
|
|
|
be9751 |
from lib389.utils import ds_is_older
|
|
|
be9751 |
-from lib389.plugins import RetroChangelogPlugin, ContentSyncPlugin, AutoMembershipPlugin, MemberOfPlugin, MemberOfSharedConfig, AutoMembershipDefinitions, MEPTemplates, MEPConfigs, ManagedEntriesPlugin, MEPTemplate
|
|
|
be9751 |
+from lib389.plugins import RetroChangelogPlugin, ContentSynchronizationPlugin, AutoMembershipPlugin, MemberOfPlugin, MemberOfSharedConfig, AutoMembershipDefinitions, MEPTemplates, MEPConfigs, ManagedEntriesPlugin, MEPTemplate
|
|
|
be9751 |
from lib389._constants import *
|
|
|
be9751 |
|
|
|
be9751 |
from . import ISyncRepl, syncstate_assert
|
|
|
be9751 |
@@ -54,7 +54,7 @@ def test_syncrepl_basic(topology):
|
|
|
be9751 |
# Set the default targetid
|
|
|
be9751 |
rcl.replace('nsslapd-attribute', 'nsuniqueid:targetUniqueId')
|
|
|
be9751 |
# Enable sync repl
|
|
|
be9751 |
- csp = ContentSyncPlugin(st)
|
|
|
be9751 |
+ csp = ContentSynchronizationPlugin(st)
|
|
|
be9751 |
csp.enable()
|
|
|
be9751 |
# Restart DS
|
|
|
be9751 |
st.restart()
|
|
|
be9751 |
@@ -176,7 +176,7 @@ def test_sync_repl_mep(topology, request):
|
|
|
be9751 |
plugin.set('nsslapd-attribute', 'nsuniqueid:targetuniqueid')
|
|
|
be9751 |
|
|
|
be9751 |
# Enable sync plugin
|
|
|
be9751 |
- plugin = ContentSyncPlugin(inst)
|
|
|
be9751 |
+ plugin = ContentSynchronizationPlugin(inst)
|
|
|
be9751 |
plugin.enable()
|
|
|
be9751 |
|
|
|
be9751 |
# Check the plug-in status
|
|
|
be9751 |
@@ -232,6 +232,8 @@ def test_sync_repl_mep(topology, request):
|
|
|
be9751 |
prev = int(cookie)
|
|
|
be9751 |
sync_repl.join()
|
|
|
be9751 |
log.info('test_sync_repl_map: PASS\n')
|
|
|
be9751 |
+ inst.start()
|
|
|
be9751 |
+
|
|
|
be9751 |
|
|
|
be9751 |
def test_sync_repl_cookie(topology, request):
|
|
|
be9751 |
"""Test sync_repl cookie are progressing is an increasing order
|
|
|
be9751 |
@@ -240,33 +242,33 @@ def test_sync_repl_cookie(topology, request):
|
|
|
be9751 |
:id: d7fbde25-5702-46ac-b38e-169d7a68e97c
|
|
|
be9751 |
:setup: Standalone Instance
|
|
|
be9751 |
:steps:
|
|
|
be9751 |
- 1.: enable retroCL
|
|
|
be9751 |
- 2.: configure retroCL to log nsuniqueid as targetUniqueId
|
|
|
be9751 |
- 3.: enable content_sync plugin
|
|
|
be9751 |
- 4.: enable automember
|
|
|
be9751 |
- 5.: create (2) groups. Few groups can help to reproduce the concurrent updates problem.
|
|
|
be9751 |
- 6.: configure automember to provision those groups with 'member'
|
|
|
be9751 |
- 7.: enable and configure memberof plugin
|
|
|
be9751 |
- 8.: enable plugin log level
|
|
|
be9751 |
- 9.: restart the server
|
|
|
be9751 |
- 10.: create a thread dedicated to run a sync repl client
|
|
|
be9751 |
- 11.: Create (9) users that will generate nested updates (automember/memberof)
|
|
|
be9751 |
- 12.: stop sync repl client and collect the list of cookie.change_no
|
|
|
be9751 |
- 13.: check that cookies.change_no are in increasing order
|
|
|
be9751 |
+ 1. enable retroCL
|
|
|
be9751 |
+ 2. configure retroCL to log nsuniqueid as targetUniqueId
|
|
|
be9751 |
+ 3. enable content_sync plugin
|
|
|
be9751 |
+ 4. enable automember
|
|
|
be9751 |
+ 5. create (2) groups. Few groups can help to reproduce the concurrent updates problem.
|
|
|
be9751 |
+ 6. configure automember to provision those groups with 'member'
|
|
|
be9751 |
+ 7. enable and configure memberof plugin
|
|
|
be9751 |
+ 8. enable plugin log level
|
|
|
be9751 |
+ 9. restart the server
|
|
|
be9751 |
+ 10. create a thread dedicated to run a sync repl client
|
|
|
be9751 |
+ 11. Create (9) users that will generate nested updates (automember/memberof)
|
|
|
be9751 |
+ 12. stop sync repl client and collect the list of cookie.change_no
|
|
|
be9751 |
+ 13. check that cookies.change_no are in increasing order
|
|
|
be9751 |
:expectedresults:
|
|
|
be9751 |
- 1.: succeeds
|
|
|
be9751 |
- 2.: succeeds
|
|
|
be9751 |
- 3.: succeeds
|
|
|
be9751 |
- 4.: succeeds
|
|
|
be9751 |
- 5.: succeeds
|
|
|
be9751 |
- 6.: succeeds
|
|
|
be9751 |
- 7.: succeeds
|
|
|
be9751 |
- 8.: succeeds
|
|
|
be9751 |
- 9.: succeeds
|
|
|
be9751 |
- 10.: succeeds
|
|
|
be9751 |
- 11.: succeeds
|
|
|
be9751 |
- 12.: succeeds
|
|
|
be9751 |
- 13.: succeeds
|
|
|
be9751 |
+ 1. succeeds
|
|
|
be9751 |
+ 2. succeeds
|
|
|
be9751 |
+ 3. succeeds
|
|
|
be9751 |
+ 4. succeeds
|
|
|
be9751 |
+ 5. succeeds
|
|
|
be9751 |
+ 6. succeeds
|
|
|
be9751 |
+ 7. succeeds
|
|
|
be9751 |
+ 8. succeeds
|
|
|
be9751 |
+ 9. succeeds
|
|
|
be9751 |
+ 10. succeeds
|
|
|
be9751 |
+ 11. succeeds
|
|
|
be9751 |
+ 12. succeeds
|
|
|
be9751 |
+ 13. succeeds
|
|
|
be9751 |
"""
|
|
|
be9751 |
inst = topology[0]
|
|
|
be9751 |
|
|
|
be9751 |
@@ -277,7 +279,7 @@ def test_sync_repl_cookie(topology, request):
|
|
|
be9751 |
plugin.set('nsslapd-attribute', 'nsuniqueid:targetuniqueid')
|
|
|
be9751 |
|
|
|
be9751 |
# Enable sync plugin
|
|
|
be9751 |
- plugin = ContentSyncPlugin(inst)
|
|
|
be9751 |
+ plugin = ContentSynchronizationPlugin(inst)
|
|
|
be9751 |
plugin.enable()
|
|
|
be9751 |
|
|
|
be9751 |
# Enable automember
|
|
|
be9751 |
@@ -409,7 +411,7 @@ def test_sync_repl_cookie_add_del(topology, request):
|
|
|
be9751 |
plugin.set('nsslapd-attribute', 'nsuniqueid:targetuniqueid')
|
|
|
be9751 |
|
|
|
be9751 |
# Enable sync plugin
|
|
|
be9751 |
- plugin = ContentSyncPlugin(inst)
|
|
|
be9751 |
+ plugin = ContentSynchronizationPlugin(inst)
|
|
|
be9751 |
plugin.enable()
|
|
|
be9751 |
|
|
|
be9751 |
# Enable automember
|
|
|
be9751 |
@@ -541,7 +543,7 @@ def test_sync_repl_cookie_with_failure(topology, request):
|
|
|
be9751 |
plugin.set('nsslapd-attribute', 'nsuniqueid:targetuniqueid')
|
|
|
be9751 |
|
|
|
be9751 |
# Enable sync plugin
|
|
|
be9751 |
- plugin = ContentSyncPlugin(inst)
|
|
|
be9751 |
+ plugin = ContentSynchronizationPlugin(inst)
|
|
|
be9751 |
plugin.enable()
|
|
|
be9751 |
|
|
|
be9751 |
# Enable automember
|
|
|
be9751 |
diff --git a/dirsrvtests/tests/suites/vlv/regression_test.py b/dirsrvtests/tests/suites/vlv/regression_test.py
|
|
|
be9751 |
index 646cd97ba..2e1637a21 100644
|
|
|
be9751 |
--- a/dirsrvtests/tests/suites/vlv/regression_test.py
|
|
|
be9751 |
+++ b/dirsrvtests/tests/suites/vlv/regression_test.py
|
|
|
be9751 |
@@ -84,8 +84,8 @@ def test_bulk_import_when_the_backend_with_vlv_was_recreated(topology_m2):
|
|
|
be9751 |
MappingTrees(M2).list()[0].delete()
|
|
|
be9751 |
Backends(M2).list()[0].delete()
|
|
|
be9751 |
# Recreate the backend and the VLV index on Master 2.
|
|
|
be9751 |
- M2.mappingtree.create(DEFAULT_SUFFIX, "userRoot")
|
|
|
be9751 |
M2.backend.create(DEFAULT_SUFFIX, {BACKEND_NAME: "userRoot"})
|
|
|
be9751 |
+ M2.mappingtree.create(DEFAULT_SUFFIX, "userRoot")
|
|
|
be9751 |
# Recreating vlvSrchDn and vlvIndexDn on Master 2.
|
|
|
be9751 |
vlv_searches.create(
|
|
|
be9751 |
basedn="cn=userRoot,cn=ldbm database,cn=plugins,cn=config",
|
|
|
be9751 |
--
|
|
|
be9751 |
2.26.2
|
|
|
be9751 |
|