@Ludwig Krispenz <lkris...@redhat.com> , exactly, Please check attached
script , how it is implemented .
Filter role and aci combination .
On Tue, Jan 22, 2019 at 1:13 PM Ludwig <lkris...@redhat.com> wrote:
>
>
> On 01/21/2019 11:01 PM, William Brown wrote:
> >
> >> On 21 Jan 2019, at 17:08, Anuj Borah <abo...@redhat.com> wrote:
> >>
> >> One small correction here :
> >>
> >> using newly created nsUserAccountRole and nsUserAccountRoles ( Will be
> used only to create filter role ) , i am creating filter roles only . This
> is the confusion here , we should remember filter roles are nothing but
> entries with o='something'. I am not touching any user here , but i am
> creating roles and these roles are covering the users automatically a
> Ludwig Krispenzs said earlier. example-
> >>
> >>
> >>
> >>
> >>
> role=nsUserAccountRole(topo.standalone,'cn=tuser1,ou=People,dc=example,dc=com')
> >> user_props={'cn':'Anuj', 'nsRoleFilter':'cn=*'}
> >> role.create(properties=user_props, basedn=SUFFIX)
> >>
> >>
> >>
> >> In above example just created one filer role which will cover all users
> having 'cn=*' in 'ou=People'. Here 'cn=tuser1,ou=People,dc=example,dc=com'
> is nothing but a filter role which will cover all users having 'cn=*' in
> 'ou=People'.
> >>
> >> Another example as given bellow:
> >>
> >> dn: cn=FILTERROLEENGROLE,o=acivattr1,dc=example,dc=com
> >> cn: FILTERROLEENGROLE
> >> nsRoleFilter: cn=*
> >> objectClass: top
> >> objectClass: LDAPsubentry
> >> objectClass: nsRoleDefinition
> >> objectClass: nsComplexRoleDefinition
> >> objectClass: nsFilteredRoleDefinition
> >>
> >> This above entry is nothing but filter role entry , which will cover
> all users in 'o=acivattr1' which has sub entries that begins with 'cn'. And
> this is the property of filter role .
> >>
> >> Yes , i must say that newly created nsUserAccountRole and
> nsUserAccountRoles which i renamed to nsFilterAccountRole and
> nsFilterAccountRoles will only cover filter role as you cant create Filter
> role and other roles like Manage role all together . For my porting stuff
> newly created nsFilterAccountRole and nsFilterAccountRoles is more than
> enough because i need filter roles only .
> >>
> >> Hope it clears all of your doubts.
> >>
> > So I think the idea of composing this with nsUsers/nsAccount is so that
> the nsRoleFilter becomes:
> >
> > &(objectClass=account)(cn=*)
> but this filter would probably match all accounts, to properly test role
> based acis you need to have a set of user matching the filter and get
> access granted and a set of user not matching the filter and access
> rejected.
> >
> > This way it’s limited to just those types. Else we would have just
> “nsFilteredRole” lib389 type (which could be simpler, given that this idea
> seems to have caused so much confusion already … :( )
> >
> > I still think it would be good to see a write of “how it works” by hand,
> where you make the role, add the filter, show the roles on the users, then
> how that translates to the lib389.
> +1
> >
> > Thanks,
> >
> >
> > —
> > Sincerely,
> >
> > William Brown
> > Software Engineer, 389 Directory Server
> > SUSE Labs
> > _______________________________________________
> > 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> > To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
> _______________________________________________
> 389-devel mailing list -- 389-devel@lists.fedoraproject.org
> To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
>
# --- BEGIN COPYRIGHT BLOCK ---
# Copyright (C) 2019 Red Hat, Inc.
# All rights reserved.
#
# License: GPL (version 3 or any later version).
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
from working_contstants import *
DNBASE = "o=acivattr,{}".format(DEFAULT_SUFFIX)
ENG_USER = "cn=enguser1,ou=eng,{}".format(DNBASE)
SALES_UESER = "cn=salesuser1,ou=sales,{}".format(DNBASE)
ENG_MANAGER = "cn=engmanager1,ou=eng,{}".format(DNBASE)
SALES_MANAGER = "cn=salesmanager1,ou=sales,{}".format(DNBASE)
SALES_OU = "ou=sales,{}".format(DNBASE)
ENG_OU = "ou=eng,{}".format(DNBASE)
FILTERROLESALESROLE = "cn=FILTERROLESALESROLE,{}".format(DNBASE)
FILTERROLEENGROLE = "cn=FILTERROLEENGROLE,{}".format(DNBASE)
DNBASE_WITH_ACI = "o=acivattr1,{}".format(DEFAULT_SUFFIX)
ENG_USER_WITH_ACI = "cn=enguser1,ou=eng,{}".format(DNBASE_WITH_ACI)
SALES_UESER_WITH_ACI = "cn=salesuser1,ou=sales,{}".format(DNBASE_WITH_ACI)
ENG_MANAGER_WITH_ACI = "cn=engmanager1,ou=eng,{}".format(DNBASE_WITH_ACI)
SALES_MANAGER_WITH_ACI = "cn=salesmanager1,ou=sales,{}".format(DNBASE_WITH_ACI)
SALES_OU_WITH_ACI = "ou=sales,{}".format(DNBASE_WITH_ACI)
ENG_OU_WITH_ACI = "ou=eng,{}".format(DNBASE_WITH_ACI)
FILTERROLESALESROLE_WITH_ACI = "cn=FILTERROLESALESROLE,{}".format(DNBASE_WITH_ACI)
FILTERROLEENGROLE_WITH_ACI = "cn=FILTERROLEENGROLE,{}".format(DNBASE_WITH_ACI)
@pytest.fixture(scope="function")
def aci_of_user(request, topo):
aci_list = [
i._rawaci for i in topo.standalone.aci.list(DEFAULT_SUFFIX, ldap.SCOPE_BASE)
]
def finofaci():
topo.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_DELETE, "aci", None)])
for i in aci_list:
topo.standalone.modify_s(
DEFAULT_SUFFIX, [(ldap.MOD_ADD, "aci", ensure_bytes(i))]
)
request.addfinalizer(finofaci)
@pytest.fixture(scope="function")
def _add_user(request, topo):
Organization(topo.standalone).create(properties={"o": "acivattr"}, basedn=DEFAULT_SUFFIX)
create_test_ou(topo.standalone, "eng,o=acivattr")
create_test_ou(topo.standalone, "sales,o=acivattr")
user = nsFilterAccountRoles(topo.standalone, DEFAULT_SUFFIX, rdn='o=acivattr')
user.create(properties={'cn':'FILTERROLEENGROLE', 'nsRoleFilter':'cn=*'})
user.create(properties={'cn': 'FILTERROLESALESROLE', 'nsRoleFilter': 'cn=sales*'})
org = Organization(topo.standalone).create(
properties={"o": "acivattr1"}, basedn=DEFAULT_SUFFIX
)
org.set(
"aci",
'(targetattr="*")(targetfilter="(nsrole=*)")(version 3.0; aci "tester"; allow(all)userdn = "ldap:///cn=enguser1,ou=eng,o=acivattr1,dc=example,dc=com";;)',
)
create_test_ou(topo.standalone, "eng,o=acivattr1")
create_test_ou(topo.standalone, "sales,o=acivattr1")
for i in ['enguser1,ou=eng,o=acivattr', "engmanager1,ou=eng,o=acivattr",
"salesmanager1,ou=sales,o=acivattr", "salesuser1,ou=sales,o=acivattr",
"enguser1,ou=eng,o=acivattr1", "engmanager1,ou=eng,o=acivattr1",
"salesmanager1,ou=sales,o=acivattr1", "salesuser1,ou=sales,o=acivattr1"]:
user = create_test_user(topo.standalone, "{}".format(i), DEFAULT_SUFFIX)
user.set("userPassword", "password")
user = nsFilterAccountRoles(topo.standalone, DEFAULT_SUFFIX, rdn='o=acivattr1')
user.create(properties={'cn': 'FILTERROLEENGROLE', 'nsRoleFilter': 'cn=*'})
user.create(properties={'cn': 'FILTERROLESALESROLE', 'nsRoleFilter': 'cn=sales*'})
import pdb
pdb.set_trace()
def fin():
topo.standalone.bind_s(DN_DM, PW_DM)
for DN in [ENG_USER,SALES_UESER,ENG_MANAGER,SALES_MANAGER,FILTERROLESALESROLE,FILTERROLEENGROLE,ENG_USER_WITH_ACI,
SALES_UESER_WITH_ACI,ENG_MANAGER_WITH_ACI,SALES_MANAGER_WITH_ACI,FILTERROLESALESROLE_WITH_ACI,
FILTERROLEENGROLE_WITH_ACI,ENG_OU,SALES_OU,DNBASE,ENG_OU_WITH_ACI,SALES_OU_WITH_ACI,DNBASE_WITH_ACI]:
topo.standalone.delete_s(DN)
request.addfinalizer(fin)
REAL_EQ_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(cn=engmanager1)") (version 3.0; acl "real-eq"; allow (all) userdn="ldap:///cn=enguser1,ou=eng,o=acivattr,dc=example,dc=com";;)'
)
REAL_PRES_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(cn=*)") (version 3.0; acl "real-pres"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
REAL_SUB_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(cn=eng*)") (version 3.0; acl "real-sub"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
ROLE_EQ_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(nsrole=cn=FILTERROLEENGROLE,o=redhat.com)") (version 3.0; acl "role-eq"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
ROLE_PRES_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(nsrole=*)") (version 3.0; acl "role-pres"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
ROLE_SUB_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(nsrole=cn=filterroleeng*)") (version 3.0; acl "role-sub"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
COS_EQ_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(employeetype=engtype)") (version 3.0; acl "cos-eq"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
COS_PRES_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(employeetype=*)") (version 3.0; acl "cos-pres"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
COS_SUB_ACI = ensure_bytes(
'(targetattr="*")(targetfilter="(employeetype=eng*)") (version 3.0; acl "cos-sub"; allow (all) userdn="ldap:///{}";;)'.format(
ENG_USER
)
)
LDAPURL_ACI = ensure_bytes(
'(targetattr="*")(version 3.0; acl "url"; allow (all) userdn="ldap:///o=acivattr??sub?(nsrole=*eng*)";)'
)
List_positive = [
(ENG_USER, ENG_MANAGER, REAL_EQ_ACI),
(ENG_USER, ENG_MANAGER, REAL_PRES_ACI),
(ENG_USER, ENG_MANAGER, REAL_SUB_ACI),
]
List_negatitive = [
(ENG_USER, SALES_MANAGER, REAL_EQ_ACI),
(ENG_USER, SALES_OU, REAL_PRES_ACI),
(ENG_USER, SALES_MANAGER, REAL_SUB_ACI),
(ENG_USER, ENG_MANAGER, COS_EQ_ACI),
(ENG_USER, SALES_MANAGER, COS_EQ_ACI),
(ENG_USER, ENG_MANAGER, COS_PRES_ACI),
(ENG_USER, SALES_OU, COS_PRES_ACI),
(ENG_USER, ENG_MANAGER, COS_SUB_ACI),
(ENG_USER, SALES_MANAGER, COS_SUB_ACI),
(ENG_USER, ENG_MANAGER, LDAPURL_ACI),
(ENG_USER, SALES_MANAGER, LDAPURL_ACI),
]
ids_positive = [
"( ENG_USER, ENG_MANAGER, REAL_EQ_ACI)",
"( ENG_USER, ENG_MANAGER, REAL_PRES_ACI)",
"( ENG_USER, ENG_MANAGER, REAL_SUB_ACI)",
]
ids_negative = [
"( ENG_USER, SALES_MANAGER, REAL_EQ_ACI)",
"( ENG_USER, SALES_OU, REAL_PRES_ACI)",
"( ENG_USER, SALES_MANAGER, REAL_SUB_ACI)",
"( ENG_USER, ENG_MANAGER, COS_EQ_ACI)",
"( ENG_USER, SALES_MANAGER, COS_EQ_ACI)",
"( ENG_USER, ENG_MANAGER, COS_PRES_ACI)",
"( ENG_USER, SALES_OU, COS_PRES_ACI)",
"( ENG_USER, ENG_MANAGER, COS_SUB_ACI)",
"( ENG_USER, SALES_MANAGER, COS_SUB_ACI)",
"( ENG_USER, ENG_MANAGER, LDAPURL_ACI)",
"( ENG_USER, SALES_MANAGER, LDAPURL_ACI)",
]
List_positive_with_role = [
(ENG_USER_WITH_ACI, ENG_MANAGER_WITH_ACI, ROLE_EQ_ACI),
(ENG_USER_WITH_ACI, SALES_MANAGER_WITH_ACI, ROLE_EQ_ACI),
(ENG_USER_WITH_ACI, ENG_MANAGER_WITH_ACI, ROLE_PRES_ACI),
(ENG_USER_WITH_ACI, SALES_MANAGER_WITH_ACI, ROLE_SUB_ACI),
(ENG_USER_WITH_ACI, ENG_MANAGER_WITH_ACI, ROLE_SUB_ACI),
]
List_negatitive_with_role = [(ENG_USER_WITH_ACI, SALES_OU_WITH_ACI, ROLE_PRES_ACI)]
List_positive_with_role_id = [
"( ENG_USER_WITH_ACI, ENG_MANAGER_WITH_ACI, ROLE_EQ_ACI)",
"( ENG_USER_WITH_ACI, SALES_MANAGER_WITH_ACI, ROLE_EQ_ACI)",
"(ENG_USER_WITH_ACI, ENG_MANAGER_WITH_ACI, ROLE_PRES_ACI)",
"(ENG_USER_WITH_ACI, SALES_MANAGER_WITH_ACI, ROLE_SUB_ACI)",
"(ENG_USER_WITH_ACI, ENG_MANAGER_WITH_ACI, ROLE_SUB_ACI)",
]
List_negatitive_with_role_id = ["(ENG_USER_WITH_ACI, SALES_OU_WITH_ACI, ROLE_PRES_ACI)"]
@pytest.mark.parametrize("user,entry,aci", List_positive, ids=ids_positive)
def test_positive(topo, _add_user, aci_of_user, user, entry, aci):
"""
:id: ba6d5e9c-786b-11e8-860d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. ACI role should be followed
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DNBASE).add("aci", aci)
conn = UserAccount(topo.standalone, user).bind(PW_DM)
Domain(conn, entry).replace("description", b"Fred")
assert Domain(conn, entry).present('description')
@pytest.mark.parametrize("user,entry,aci", List_negatitive, ids=ids_negative)
def test_negative(topo, _add_user, aci_of_user, user, entry, aci):
"""
:id: c4c887c2-786b-11e8-a328-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. ACI role should be followed
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DNBASE).add("aci", aci)
conn = UserAccount(topo.standalone, user).bind(PW_DM)
with pytest.raises(Exception):Domain(conn, entry).replace("description", b"Fred")
@pytest.mark.parametrize(
"user,entry,aci", List_positive_with_role, ids=List_positive_with_role_id
)
def test_positive_with_role(topo, _add_user, aci_of_user, user, entry, aci):
"""
:id: ba6d5e9c-786b-11e8-860d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. ACI role should be followed
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DNBASE_WITH_ACI).add("aci", aci)
conn = UserAccount(topo.standalone, user).bind(PW_DM)
Domain(conn, entry).replace("description", b"Fred")
assert Domain(conn, entry).present('description')
@pytest.mark.parametrize(
"user,entry,aci", List_negatitive_with_role, ids=List_negatitive_with_role_id
)
def test_negative_with_role(topo, _add_user, aci_of_user, user, entry, aci):
"""
:id: c4c887c2-786b-11e8-a328-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. ACI role should be followed
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DNBASE_WITH_ACI).add("aci", aci)
conn = UserAccount(topo.standalone, user).bind(PW_DM)
with pytest.raises(Exception): Domain(conn, entry).replace("description", b"Fred")
if __name__ == "__main__":
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s -v %s" % CURRENT_FILE)
_______________________________________________
389-devel mailing list -- 389-devel@lists.fedoraproject.org
To unsubscribe send an email to 389-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-devel@lists.fedoraproject.org
