7:18 p.m.
This is an automated email from the git hooks/post-receive script.
firstyear pushed a change to branch master
in repository lib389.
from ede3dc0 Issue 31 - Initial MemberOf plugin support
new 9879178 Ticket 69 - add specfile requires
new dce79c5 Ticket 66 - expand healthcheck for Directory Server
new f3991c2 Issue 31 - Add functional tests for MemberOf plugin
new 65499d4 Issue 31 - Add status command and SkipNested support for MemberOf
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Summary of changes:
cli/dsconf | 4 +-
cli/dsctl | 2 +-
lib389/_mapped_object.py | 11 +-
lib389/backend.py | 43 +---
lib389/cli_conf/{lint.py => health.py} | 36 +--
lib389/cli_conf/plugin.py | 7 +
lib389/cli_conf/plugins/memberof.py | 33 ++-
lib389/config.py | 25 ++
lib389/lint.py | 111 +++++++++
lib389/plugins.py | 22 +-
lib389/tests/cli/conf_plugins/memberof_test.py | 31 ++-
lib389/tests/healthcheck_test.py | 42 ++++
lib389/{cli_conf => tests}/plugins/__init__.py | 0
lib389/tests/plugins/memberof_test.py | 310 +++++++++++++++++++++++++
lib389/tests/plugins/utils.py | 123 ++++++++++
python-lib389.spec | 2 +
16 files changed, 742 insertions(+), 60 deletions(-)
rename lib389/cli_conf/{lint.py => health.py} (52%)
create mode 100644 lib389/lint.py
create mode 100644 lib389/tests/healthcheck_test.py
copy lib389/{cli_conf => tests}/plugins/__init__.py (100%)
create mode 100644 lib389/tests/plugins/memberof_test.py
create mode 100644 lib389/tests/plugins/utils.py
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
7:18 p.m.
New subject: [lib389] 01/04: Ticket 69 - add specfile requires
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit 9879178fd01460821fa0f0e968e4df1bfba0b354
Author: William Brown <firstyear(a)redhat.com>
Date: Tue Jun 20 11:40:07 2017 +1000
Ticket 69 - add specfile requires
Bug Description: lib389 requires iproute
Fix Description: add this to the requires
https://pagure.io/lib389/issue/69
Author: wibrown
Review by: ilias95, mreynolds (Thanks!)
---
python-lib389.spec | 2 ++
1 file changed, 2 insertions(+)
diff --git a/python-lib389.spec b/python-lib389.spec
index b4060b0..3200e59 100644
--- a/python-lib389.spec
+++ b/python-lib389.spec
@@ -33,6 +33,7 @@ Requires: python-ldap
Requires: krb5-workstation
Requires: krb5-server
Requires: openssl
+Requires: iproute
# Conditional will need to change later.
%if 0%{?rhel} >= 8 || 0%{?fedora}
Requires: python2
@@ -62,6 +63,7 @@ Summary: %{sum}
Requires: krb5-workstation
Requires: krb5-server
Requires: openssl
+Requires: iproute
Requires: python%{python3_pkgversion}
Requires: python%{python3_pkgversion}-pytest
Requires: python%{python3_pkgversion}-pyldap
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
7:18 p.m.
New subject: [lib389] 02/04: Ticket 66 - expand healthcheck for Directory Server
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit dce79c5621e4cb344fa4932c45ccd6c7e34817cc
Author: William Brown <firstyear(a)redhat.com>
Date: Wed Jun 7 17:38:06 2017 +1000
Ticket 66 - expand healthcheck for Directory Server
Bug Description: In order to aid admins, we should be able to offer
advice about the status of their servers.
Fix Description: This expands the healthcheck command to include
encryption and password options. It changes the command name (from
lint to healthcheck), and add's generic wrappers to run these
more easily.
https://pagure.io/lib389/issue/66
Author: wibrown
Review by: ilias95, spichugi (Thanks!)
---
cli/dsconf | 4 +-
cli/dsctl | 2 +-
lib389/_mapped_object.py | 11 +++-
lib389/backend.py | 43 +++----------
lib389/cli_conf/{lint.py => health.py} | 36 +++++++----
lib389/config.py | 25 ++++++++
lib389/lint.py | 111 +++++++++++++++++++++++++++++++++
lib389/tests/healthcheck_test.py | 42 +++++++++++++
8 files changed, 221 insertions(+), 53 deletions(-)
diff --git a/cli/dsconf b/cli/dsconf
index a114afb..168ecdf 100755
--- a/cli/dsconf
+++ b/cli/dsconf
@@ -21,7 +21,7 @@ from lib389._constants import DN_CONFIG, DN_DM
from lib389.cli_conf import backend as cli_backend
from lib389.cli_conf import plugin as cli_plugin
from lib389.cli_conf import schema as cli_schema
-from lib389.cli_conf import lint as cli_lint
+from lib389.cli_conf import health as cli_health
from lib389.cli_conf.plugins import memberof as cli_memberof
from lib389.cli_base import disconnect_instance, connect_instance
@@ -62,7 +62,7 @@ if __name__ == '__main__':
cli_backend.create_parser(subparsers)
cli_schema.create_parser(subparsers)
- cli_lint.create_parser(subparsers)
+ cli_health.create_parser(subparsers)
cli_plugin.create_parser(subparsers)
cli_memberof.create_parser(subparsers)
diff --git a/cli/dsctl b/cli/dsctl
index bfaba4a..fed1a96 100755
--- a/cli/dsctl
+++ b/cli/dsctl
@@ -21,7 +21,7 @@ from lib389.cli_ctl import instance as cli_instance
from lib389.cli_ctl import dbtasks as cli_dbtasks
from lib389.cli_base import disconnect_instance
-log = logging.getLogger("dsadm")
+log = logging.getLogger("dsctl")
if __name__ == '__main__':
diff --git a/lib389/_mapped_object.py b/lib389/_mapped_object.py
index c307cf2..361b479 100644
--- a/lib389/_mapped_object.py
+++ b/lib389/_mapped_object.py
@@ -96,6 +96,7 @@ class DSLdapObject(DSLogging):
self._must_attributes = None
# attributes, we don't want to compare
self._compare_exclude = ['entryid']
+ self._lint_functions = None
def __unicode__(self):
val = self._dn
@@ -463,8 +464,14 @@ class DSLdapObject(DSLogging):
You should return an array of these dicts, on None if there are no errors.
"""
- return None
-
+ if not self._lint_functions:
+ return None
+ results = []
+ for fn in self._lint_functions:
+ result = fn()
+ if result:
+ results.append(result)
+ return results
# A challenge of this, is how do we manage indexes? They have two naming attribunes....
diff --git a/lib389/backend.py b/lib389/backend.py
index aa540e5..1affe13 100644
--- a/lib389/backend.py
+++ b/lib389/backend.py
@@ -24,6 +24,8 @@ from lib389.monitor import MonitorBackend
# This is for sample entry creation.
from lib389.configurations import get_sample_entries
+from lib389.lint import DSBLE0001
+
class BackendLegacy(object):
proxied_methods = 'search_s getEntry'.split()
@@ -391,6 +393,7 @@ class Backend(DSLdapObject):
self._must_attributes = ['nsslapd-suffix', 'cn']
self._create_objectclasses = ['top', 'extensibleObject',
BACKEND_OBJECTCLASS_VALUE]
self._protected = False
+ self._lint_functions = [self._lint_mappingtree]
# Check if a mapping tree for this suffix exists.
self._mts = MappingTrees(self._instance)
@@ -480,7 +483,7 @@ class Backend(DSLdapObject):
# The super will actually delete ourselves.
super(Backend, self).delete()
- def lint(self):
+ def _lint_mappingtree(self):
"""
Backend lint
@@ -488,48 +491,18 @@ class Backend(DSLdapObject):
* missing mapping tree entries for the backend
* missing indcies if we are local and have log access?
"""
- results = []
- # return ["Hello!",]
# Check for the missing mapping tree.
suffix = ensure_str(self.get_attr_val('nsslapd-suffix'))
bename = self.get_attr_val('cn')
- # This should change to the mapping tree objects later ....
try:
mt = self._mts.get(suffix)
if mt.get_attr_val('nsslapd-backend') != ensure_bytes(bename) and
mt.get_attr_val('nsslapd-state') != ensure_bytes('backend') :
raise ldap.NO_SUCH_OBJECT("We have a matching suffix, but not a
backend or correct database name.")
except ldap.NO_SUCH_OBJECT:
- results.append({
- 'dsle': 'DSBLE0001',
- 'severity': 'MEDIUM',
- 'items' : [bename, ],
- 'detail' : """
-This backend may be missing the correct mapping tree references. Mapping Trees allow
-the directory server to determine which backend an operation is routed to in the
-abscence of other information. This is extremely important for correct functioning
-of LDAP ADD for example.
-
-A correct Mapping tree for this backend must contain the suffix name, the database name
-and be a backend type. IE:
-
-cn=o3Dexample,cn=mapping tree,cn=config
-cn: o=example
-nsslapd-backend: userRoot
-nsslapd-state: backend
-objectClass: top
-objectClass: extensibleObject
-objectClass: nsMappingTree
-
- """,
- 'fix' : """
-Either you need to create the mapping tree, or you need to repair the related
-mapping tree. You will need to do this by hand by editing cn=config, or stopping
-the instance and editing dse.ldif.
- """
- })
- if len(results) == 0:
- return None
- return results
+ result = DSBLE0001
+ result['items'] = [bename, ]
+ return result
+ return None
def get_monitor(self):
monitor = MonitorBackend(instance=self._instance, dn= "cn=monitor,%s" %
self._dn, batch=self._batch)
diff --git a/lib389/cli_conf/lint.py b/lib389/cli_conf/health.py
similarity index 52%
rename from lib389/cli_conf/lint.py
rename to lib389/cli_conf/health.py
index 31c5cf0..02aef14 100644
--- a/lib389/cli_conf/lint.py
+++ b/lib389/cli_conf/health.py
@@ -9,12 +9,20 @@
import argparse
from lib389.backend import Backend, Backends
+from lib389.config import Encryption, Config
-LINT_OBJECTS = [
- Backends
+# These get all instances, then check them all.
+CHECK_MANY_OBJECTS = [
+ Backends,
]
-def _format_lint_output(log, result):
+# These get single instances and check them.
+CHECK_OBJECTS = [
+ Config,
+ Encryption,
+]
+
+def _format_check_output(log, result):
log.info("==== DS Lint Error: %s ====" % result['dsle'])
log.info(" Severity: %s " % result['severity'])
log.info(" Affects:")
@@ -25,25 +33,27 @@ def _format_lint_output(log, result):
log.info(" Resolution:")
log.info(result['fix'])
-def lint_run(inst, basedn, log, args):
+def health_check_run(inst, basedn, log, args):
log.info("Beginning lint report, this could take a while ...")
report = []
- for lo in LINT_OBJECTS:
+ for lo in CHECK_MANY_OBJECTS:
log.info("Checking %s ..." % lo.__name__)
lo_inst = lo(inst)
for clo in lo_inst.list():
result = clo.lint()
if result is not None:
report += result
- log.info("Lint complete!")
+ for lo in CHECK_OBJECTS:
+ log.info("Checking %s ..." % lo.__name__)
+ lo_inst = lo(inst)
+ result = lo_inst.lint()
+ if result is not None:
+ report += result
+ log.info("Healthcheck complete!")
for item in report:
- _format_lint_output(log, item)
+ _format_check_output(log, item)
def create_parser(subparsers):
- lint_parser = subparsers.add_parser('lint', help="Check for
configuration issues in your Directory Server instance.")
-
- subcommands = lint_parser.add_subparsers(help="action")
-
- run_lint_parser = subcommands.add_parser('run', help="Run a lint report
on your Directory Server instance. This is a safe, Read Only operation.")
- run_lint_parser.set_defaults(func=lint_run)
+ run_healthcheck_parser = subparsers.add_parser('healthcheck', help="Run
a healthcheck report on your Directory Server instance. This is a safe, read only
operation.")
+ run_healthcheck_parser.set_defaults(func=health_check_run)
diff --git a/lib389/config.py b/lib389/config.py
index 01b731e..0723214 100644
--- a/lib389/config.py
+++ b/lib389/config.py
@@ -20,7 +20,9 @@ import ldap
from lib389._constants import *
from lib389 import Entry
from lib389._mapped_object import DSLdapObject
+from lib389.utils import ensure_bytes, ensure_str
+from lib389.lint import DSCLE0001, DSCLE0002, DSELE0001
class Config(DSLdapObject):
"""
@@ -52,6 +54,7 @@ class Config(DSLdapObject):
]
self._compare_exclude = self._compare_exclude + config_compare_exclude
self._rdn_attribute = 'cn'
+ self._lint_functions = [self._lint_hr_timestamp, self._lint_passwordscheme]
@property
def dn(self):
@@ -180,6 +183,21 @@ class Config(DSLdapObject):
fields = 'nsslapd-security nsslapd-ssl-check-hostname'.split()
return self._instance.getEntry(DN_CONFIG, attrlist=fields)
+ def _lint_hr_timestamp(self):
+ hr_timestamp =
self.get_attr_val('nsslapd-logging-hr-timestamps-enabled')
+ if ensure_bytes('on') != hr_timestamp:
+ return DSCLE0001
+ pass # nsslapd-logging-hr-timestamps-enabled
+
+ def _lint_passwordscheme(self):
+ allowed_schemes = ['SSHA512', 'PBKDF2_SHA256']
+ password_scheme = self.get_attr_val('passwordStorageScheme')
+ root_scheme = self.get_attr_val('nsslapd-rootpwstoragescheme')
+ u_password_scheme = ensure_str(password_scheme)
+ u_root_scheme = ensure_str(root_scheme)
+ if u_root_scheme not in allowed_schemes or u_password_scheme not in
allowed_schemes:
+ return DSCLE0002
+ return None
class Encryption(DSLdapObject):
"""
@@ -196,12 +214,19 @@ class Encryption(DSLdapObject):
self._rdn_attribute = 'cn'
self._must_attributes = ['cn']
self._protected = True
+ self._lint_functions = [self._lint_check_tls_version]
def create(self, rdn=None, properties={'cn': 'encryption',
'nsSSLClientAuth': 'allowed'}):
if rdn is not None:
self._log.debug("dn on cn=encryption is not None. This is a
mistake.")
super(Encryption, self).create(properties=properties)
+ def _lint_check_tls_version(self):
+ tls_min = self.get_attr_val('sslVersionMin');
+ if tls_min < ensure_bytes('TLS1.1'):
+ return DSELE0001
+ return None
+
class RSA(DSLdapObject):
"""
Manage the "cn=RSA,cn=encryption,cn=config" object
diff --git a/lib389/lint.py b/lib389/lint.py
new file mode 100644
index 0000000..404cff8
--- /dev/null
+++ b/lib389/lint.py
@@ -0,0 +1,111 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+
+# A set of constants defining the lint errors we can return to a caller.
+# as well as some functions to help process them.
+
+
+DSBLE0001 = {
+ 'dsle': 'DSBLE0001',
+ 'severity': 'MEDIUM',
+ 'items' : [],
+ 'detail' : """
+This backend may be missing the correct mapping tree references. Mapping Trees allow
+the directory server to determine which backend an operation is routed to in the
+abscence of other information. This is extremely important for correct functioning
+of LDAP ADD for example.
+
+A correct Mapping tree for this backend must contain the suffix name, the database name
+and be a backend type. IE:
+
+cn=o3Dexample,cn=mapping tree,cn=config
+cn: o=example
+nsslapd-backend: userRoot
+nsslapd-state: backend
+objectClass: top
+objectClass: extensibleObject
+objectClass: nsMappingTree
+
+ """,
+ 'fix' : """
+Either you need to create the mapping tree, or you need to repair the related
+mapping tree. You will need to do this by hand by editing cn=config, or stopping
+the instance and editing dse.ldif.
+ """
+}
+
+DSCLE0001 = {
+ 'dsle' : 'DSCLE0001',
+ 'severity' : 'LOW',
+ 'items': ['cn=config', ],
+ 'detail' : """
+nsslapd-logging-hr-timestamps-enabled changes the log format in directory server from
+
+[07/Jun/2017:17:15:58 +1000]
+
+to
+
+[07/Jun/2017:17:15:58.716117312 +1000]
+
+This actually provides a performance improvement. Additionally, this setting will be
+removed in a future release.
+ """,
+ 'fix' : """
+Set nsslapd-logging-hr-timestamps-enabled to on.
+ """
+}
+
+DSCLE0002 = {
+ 'dsle': 'DSCLE0002',
+ 'severity': 'HIGH',
+ 'items' : ['cn=config', ],
+ 'detail' : """
+Password storage schemes in Directory Server define how passwords are hashed via a
+one-way mathematical function for storage. Knowing the hash it is difficult to gain
+the input, but knowing the input you can easily compare the hash.
+
+Many hashes are well known for cryptograhpic verification properties, but are
+designed to be *fast* to validate. This is the opposite of what we desire for password
+storage. In the unlikely event of a disclosure, you want hashes to be *difficult* to
+verify, as this adds a cost of work to an attacker.
+
+In Directory Server, we offer one hash suitable for this (PBKDF2_SHA256) and one hash
+for "legacy" support (SSHA512).
+
+Your configuration does not use these for password storage or the root password storage
+scheme.
+ """,
+ 'fix': """
+Perform a configuration reset of the values:
+
+passwordStorageScheme
+nsslapd-rootpwstoragescheme
+
+IE, stop Directory Server, and in dse.ldif delete these two lines. When Directory Server
+is started, they will use the server provided defaults that are secure.
+ """
+}
+
+DSELE0001 = {
+ 'dsle': 'DSELE0001',
+ 'severity': 'MEDIUM',
+ 'items' : ['cn=encryption,cn=config', ],
+ 'detail': """
+This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to
+have a number of issues with the protocol. Please see:
+
+https://tools.ietf.org/html/rfc7457
+
+It is advised you set this value to the maximum possible.
+ """,
+ 'fix' : """
+set cn=encryption,cn=config sslVersionMin to a version greater than TLS1.0
+ """
+}
+
+
diff --git a/lib389/tests/healthcheck_test.py b/lib389/tests/healthcheck_test.py
new file mode 100644
index 0000000..94711eb
--- /dev/null
+++ b/lib389/tests/healthcheck_test.py
@@ -0,0 +1,42 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+
+import pytest
+import ldap
+
+from lib389.topologies import topology_st
+
+from lib389.lint import *
+
+def test_hc_backend_mt(topology_st):
+ mt = topology_st.standalone.mappingtrees.get('userRoot')
+ # We have to remove the MT from a backend.
+ mt.delete()
+ be = topology_st.standalone.backends.get('userRoot')
+ result = be._lint_mappingtree()
+ # We have to check this by name, not object, as the result changes
+ # the affected dn in the result.
+ assert result['dsle'] == 'DSBLE0001'
+
+def test_hc_encryption(topology_st):
+ topology_st.standalone.encryption.set('sslVersionMin', 'TLS1.0')
+ result = topology_st.standalone.encryption._lint_check_tls_version()
+ assert result == DSELE0001
+
+def test_hc_config(topology_st):
+ # Check the HR timestamp
+ topology_st.standalone.config.set('nsslapd-logging-hr-timestamps-enabled',
'off')
+ result = topology_st.standalone.config._lint_hr_timestamp()
+ assert result == DSCLE0001
+
+ # Check the password scheme check.
+ topology_st.standalone.config.set('passwordStorageScheme', 'SSHA')
+ result = topology_st.standalone.config._lint_passwordscheme()
+ assert result == DSCLE0002
+
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
7:18 p.m.
New subject: [lib389] 03/04: Issue 31 - Add functional tests for MemberOf plugin
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit f3991c25be6676289229f3852ae897c76eb23131
Author: Ilias Stamatis <stamatis.iliass(a)gmail.com>
Date: Mon Jun 19 04:08:10 2017 +0300
Issue 31 - Add functional tests for MemberOf plugin
Description: Add tests for testing the functionality of MemberOf
plugin. These tests make sure the plugin behaves properly based
on its configuration.
https://pagure.io/lib389/issue/31
Author: Ilias95
Review by: wibrown (Thanks, great work!)
---
lib389/tests/plugins/__init__.py | 0
lib389/tests/plugins/memberof_test.py | 310 ++++++++++++++++++++++++++++++++++
lib389/tests/plugins/utils.py | 123 ++++++++++++++
3 files changed, 433 insertions(+)
diff --git a/lib389/tests/plugins/__init__.py b/lib389/tests/plugins/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/lib389/tests/plugins/memberof_test.py
b/lib389/tests/plugins/memberof_test.py
new file mode 100644
index 0000000..5079bd1
--- /dev/null
+++ b/lib389/tests/plugins/memberof_test.py
@@ -0,0 +1,310 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2016-2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+
+import pytest
+
+from lib389.topologies import topology_st
+from lib389.plugins import MemberOfPlugin
+from lib389.properties import BACKEND_NAME, BACKEND_SUFFIX
+from lib389._constants import DEFAULT_SUFFIX
+from lib389.tests.plugins.utils import (
+ create_test_user, create_test_group, create_test_ou, delete_objects)
+
+
+(a)pytest.fixture(scope="module")
+def plugin(request):
+ topology = topology_st(request)
+ plugin = MemberOfPlugin(topology.standalone)
+ return plugin
+
+
+def test_memberof_enable_disable(plugin):
+ """
+ Test that the plugin doesn't do anything while disabled, and functions
+ properly when enabled.
+
+ NOTICE: This test case leaves the plugin enabled for the following tests.
+ """
+ # assert plugin is disabled (by default)
+ assert plugin.status() == False
+
+ user = create_test_user(plugin._instance)
+ group = create_test_group(plugin._instance)
+
+ # add user to the group (which normally triggers the plugin)
+ group.add_member(user.dn)
+
+ memberofattr = plugin.get_attr()
+ # assert no memberof attribute was created by the plugin
+ assert not memberofattr in user.get_all_attrs()
+
+ # enable the plugin and restart the server for the action to take effect
+ plugin.enable()
+ plugin._instance.restart()
+ assert plugin.status() == True
+
+ # trigger the plugin again
+ group.remove_member(user.dn)
+ group.add_member(user.dn)
+
+ # assert that the memberof attribute was now properly set
+ assert memberofattr in user.get_all_attrs()
+
+ # clean up for subsequent test cases
+ delete_objects([user, group])
+
+def test_memberofattr(plugin):
+ """
+ Test that the plugin automatically creates an attribute on user entries
+ declaring membership after adding them to a group. The attribute depends
+ on the value of memberOfAttr.
+ """
+ memberofattr = "memberOf"
+ plugin.set_attr(memberofattr)
+
+ user = create_test_user(plugin._instance)
+ group = create_test_group(plugin._instance)
+
+ # memberof attribute should not yet appear
+ assert not memberofattr in user.get_all_attrs()
+
+ # trigger the plugin
+ group.add_member(user.dn)
+
+ # assert that the memberof attribute was automatically set by the plugin
+ assert group.dn in user.get_attr_vals(memberofattr)
+
+ # clean up for subsequent test cases
+ delete_objects([user, group])
+
+def test_memberofgroupattr(plugin):
+ """
+ memberOfGroupAttr gives the attribute in the group entry to poll to identify
+ member DNs. Test that the memberOf is set on a user only for groups whose
+ membership attribute is included in memberOfGroupAttr.
+ """
+ memberofattr = plugin.get_attr()
+
+ # initially "member" should be the default and only value of
memberOfGroupAttr
+ assert plugin.get_attr_vals('memberofgroupattr') == ['member']
+
+ user = create_test_user(plugin._instance)
+ group_normal = create_test_group(plugin._instance)
+ group_unique = create_test_group(plugin._instance, unique_group=True)
+
+ # add user to both groups
+ group_normal.add_member(user.dn)
+ group_unique.add_member(user.dn)
+
+ # assert that the memberof attribute was set for normal group only
+ assert group_normal.dn in user.get_attr_vals(memberofattr)
+ assert not group_unique.dn in user.get_attr_vals(memberofattr)
+
+ # add another value to memberOfGroupAttr
+ plugin.add_groupattr('uniqueMember')
+
+ # remove user from groups and add them again in order to trigger the plugin
+ group_normal.remove_member(user.dn)
+ group_normal.add_member(user.dn)
+ group_unique.remove_member(user.dn)
+ group_unique.add_member(user.dn)
+
+ # assert that the memberof attribute was set for both groups this time
+ assert group_normal.dn in user.get_attr_vals(memberofattr)
+ assert group_unique.dn in user.get_attr_vals(memberofattr)
+
+ # clean up for subsequent test cases
+ delete_objects([user, group_normal, group_unique])
+
+def test_memberofallbackends(plugin):
+ """
+ By default the MemberOf plugin only looks for potential members for users
+ who are in the same database as the group. Test that when memberOfAllBackends
+ is enabled, memberOf will search across all databases instead.
+ """
+ ou_value = "ou=People2"
+ ou_suffix = DEFAULT_SUFFIX
+
+ # create a new backend
+ plugin._instance.backends.create(
+ None, properties={
+ BACKEND_NAME: "People2Data",
+ BACKEND_SUFFIX: ou_value + "," + ou_suffix,
+ })
+
+ # create a new sub-suffix stored in the new backend
+ ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix)
+
+ # add a user in the default backend
+ user_b1 = create_test_user(plugin._instance)
+ # add a user in the new backend
+ user_b2 = create_test_user(plugin._instance, suffix=ou2.dn)
+ # create a group in the default backend
+ group = create_test_group(plugin._instance)
+
+ # configure memberof to search only for users who are in the same backend as the
group
+ plugin.disable_allbackends()
+
+ group.add_member(user_b1.dn)
+ group.add_member(user_b2.dn)
+
+ memberofattr = plugin.get_attr()
+
+ # assert that memberOfAttr was set for the user stored in the same backend as the
group
+ assert group.dn in user_b1.get_attr_vals(memberofattr)
+ # assert that memberOfAttr was NOT set for the user stored in a different backend
+ assert not memberofattr in user_b2.get_all_attrs()
+
+ # configure memberof to search across all backends
+ plugin.enable_allbackends()
+
+ # remove users from group and add them again in order to re-trigger the plugin
+ group.remove_member(user_b1.dn)
+ group.remove_member(user_b2.dn)
+ group.add_member(user_b1.dn)
+ group.add_member(user_b2.dn)
+
+ # assert that memberOfAttr was set for users stored in both backends
+ assert group.dn in user_b1.get_attr_vals(memberofattr)
+ assert group.dn in user_b2.get_attr_vals(memberofattr)
+
+ # clean up for subsequent test cases
+ delete_objects([user_b1, user_b2, group, ou2])
+
+def test_memberofskipnested(plugin):
+ """
+ Test that when memberOfSkipNested is off (default) they plugin can properly
+ handle nested groups (groups that are member of other groups). Respectively
+ make sure that when memberOfSkipNested is on, the plugin lists only groups
+ to which a user was added directly.
+ """
+ user = create_test_user(plugin._instance)
+ group1 = create_test_group(plugin._instance)
+ group2 = create_test_group(plugin._instance)
+
+ # don't skip nested groups (this is the default)
+ plugin.disable_skipnested()
+
+ # create a nested group by listing group1 as a member of group2
+ group2.add_member(group1.dn)
+ # add user to group1 only
+ group1.add_member(user.dn)
+
+ memberofattr = plugin.get_attr()
+
+ assert group2.dn in group1.get_attr_vals(memberofattr)
+ # assert that memberOfAttr of user includes both groups
+ # even though they were not directly added to group2
+ assert group1.dn in user.get_attr_vals(memberofattr)
+ assert group2.dn in user.get_attr_vals(memberofattr)
+
+ # skip nested groups
+ plugin.enable_skipnested()
+
+ # remove from groups and add again in order to re-trigger the plugin
+ group2.remove_member(group1.dn)
+ group1.remove_member(user.dn)
+ group2.add_member(group1.dn)
+ group1.add_member(user.dn)
+
+ assert group2.dn in group1.get_attr_vals(memberofattr)
+ # assert that user's memberOfAttr includes only the group to which they were
added
+ assert group1.dn in user.get_attr_vals(memberofattr)
+ assert not group2.dn in user.get_attr_vals(memberofattr)
+
+ # clean up for subsequent test cases
+ delete_objects([user, group1, group2])
+
+def test_memberofautoaddocc(plugin):
+ """
+ Test that the MemberOf plugin automatically adds the object class defined
+ by memberOfAutoAddOC to a user object, if it does not contain an object
+ class that allows the memberOf attribute.
+ """
+ user = create_test_user(plugin._instance)
+ group = create_test_group(plugin._instance)
+
+ # delete any object classes that allow the memberOf attribute
+ if "nsMemberOf" in user.get_attr_vals("objectClass"):
+ user.remove("objectClass", "nsMemberOf")
+ if "inetUser" in user.get_attr_vals("objectClass"):
+ user.remove("objectClass", "inetUser")
+ if "inetAdmin" in user.get_attr_vals("objectClass"):
+ user.remove("objectClass", "inetAdmin")
+
+ # set a valid object class to memberOfAutoAddOC
+ plugin.set_autoaddoc("nsMemberOf")
+ # assert that user has not got this object class at the moment
+ assert not "nsMemberOf" in user.get_attr_vals("objectClass")
+
+ # trigger the plugin
+ group.add_member(user.dn)
+
+ # assert that the object class defined by memberOfAutoAddOC now exists
+ assert "nsMemberOf" in user.get_attr_vals("objectClass")
+
+ # reset user entry
+ group.remove_member(user.dn)
+ user.remove("objectClass", "nsMemberOf")
+
+ # repeat for different object class
+ plugin.set_autoaddoc("inetUser")
+ assert not "inetUser" in user.get_attr_vals("objectClass")
+
+ # re-trigger the plugin
+ group.add_member(user.dn)
+
+ assert "inetUser" in user.get_attr_vals("objectClass")
+
+ group.remove_member(user.dn)
+ user.remove("objectClass", "inetUser")
+
+ # repeat for different object class
+ plugin.set_autoaddoc("inetAdmin")
+ assert not "inetAdmin" in user.get_attr_vals("objectClass")
+
+ # re-trigger the plugin
+ group.add_member(user.dn)
+
+ assert "inetAdmin" in user.get_attr_vals("objectClass")
+
+ # clean up for subsequent test cases
+ delete_objects([user, group])
+
+def test_scoping(plugin):
+ """
+ Tests that the MemberOf plugin works on suffixes listed in memberOfEntryScope,
+ but skips suffixes listed in memberOfEntryScopeExcludeSubtree.
+ """
+ # create a new ou and 2 users under different ous
+ ou2 = create_test_ou(plugin._instance)
+ user_p1 = create_test_user(plugin._instance)
+ user_p2 = create_test_user(plugin._instance, suffix=ou2.dn)
+ group = create_test_group(plugin._instance)
+
+ # define include and exclude suffixes for MemberOf
+ plugin.add_entryscope(DEFAULT_SUFFIX)
+ plugin.add_excludescope(ou2.dn)
+
+ group.add_member(user_p1.dn)
+ group.add_member(user_p2.dn)
+
+ memberofattr = plugin.get_attr()
+
+ # assert that memberOfAttr was set for entry of an included suffix
+ assert group.dn in user_p1.get_attr_vals(memberofattr)
+ # assert that memberOfAttr was NOT set for entry of an excluded suffix
+ assert not memberofattr in user_p2.get_all_attrs()
+
+ # clean up for subsequent test cases
+ delete_objects([user_p1, user_p2, group, ou2])
+
+ # This does not work at the moment, because there is a bug in DS (#49284).
+ # plugin.remove_all_excludescope()
+ # plugin.remove_all_entryscope()
diff --git a/lib389/tests/plugins/utils.py b/lib389/tests/plugins/utils.py
new file mode 100644
index 0000000..4a7e248
--- /dev/null
+++ b/lib389/tests/plugins/utils.py
@@ -0,0 +1,123 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2016-2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+
+from lib389.idm.user import UserAccount
+from lib389.idm.group import Group, UniqueGroup
+from lib389.idm.organisationalunit import OrganisationalUnit
+from lib389._constants import DEFAULT_SUFFIX
+
+
+# These globals are only used by the functions of this module.
+# Each time we create a new test user/group/ou we increment the corresponding
+# variable by 1, in order to ensure DN uniqueness.
+test_user_id = 0
+test_group_id = 0
+test_ou_id = 0
+
+
+def create_test_user(instance, cn=None, suffix=None):
+ """
+ Creates a new user for testing.
+
+ It tries to create a user that doesn't already exist by using a different
+ ID each time. However, if it is provided with an existing cn/suffix it
+ will fail to create a new user and it will raise an LDAP error.
+
+ Returns a UserAccount object.
+ """
+ global test_user_id
+
+ if cn is None:
+ cn = "cn=testuser_" + str(test_user_id)
+ test_user_id += 1
+
+ if suffix is None:
+ suffix = "ou=People," + DEFAULT_SUFFIX
+ dn = cn + "," + suffix
+
+ properties = {
+ 'uid': cn,
+ 'cn': cn,
+ 'sn': 'user',
+ 'uidNumber': str(1000+test_user_id),
+ 'gidNumber': '2000',
+ 'homeDirectory': '/home/' + cn
+ }
+
+ user = UserAccount(instance, dn)
+ user.create(properties=properties)
+
+ return user
+
+def create_test_group(instance, cn=None, suffix=None, unique_group=False):
+ """
+ Creates a new group for testing.
+
+ It tries to create a group that doesn't already exist by using a different
+ ID each time. However, if it is provided with an existing cn/suffix it
+ will fail to create a new group and it will raise an LDAP error.
+
+ Returns a Group object.
+ """
+ global test_group_id
+
+ if cn is None:
+ cn = "cn=testgroup_" + str(test_group_id)
+ test_group_id += 1
+
+ if suffix is None:
+ suffix = "ou=Groups," + DEFAULT_SUFFIX
+ dn = cn + "," + suffix
+
+ properties = {
+ 'cn': cn,
+ 'ou': 'groups',
+ }
+
+ if unique_group:
+ group = UniqueGroup(instance, dn)
+ else:
+ group = Group(instance, dn)
+
+ group.create(properties=properties)
+
+ return group
+
+def create_test_ou(instance, ou=None, suffix=None):
+ """
+ Creates a new Organizational Unit for testing.
+
+ It tries to create a ou that doesn't already exist by using a different
+ ID each time. However, if it is provided with an existing ou/suffix it
+ will fail to create a new ou and it will raise an LDAP error.
+
+ Returns an OrganisationalUnit object.
+ """
+ global test_ou_id
+
+ if ou is None:
+ ou = "ou=TestOU_" + str(test_ou_id)
+ test_ou_id += 1
+
+ if suffix is None:
+ suffix = DEFAULT_SUFFIX
+ dn = ou + "," + suffix
+
+ properties = {
+ 'ou': ou,
+ }
+
+ ou = OrganisationalUnit(instance, dn)
+ ou.create(properties=properties)
+
+ return ou
+
+def delete_objects(objects):
+ for obj in objects:
+ obj.delete()
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
7:18 p.m.
New subject: [lib389] 04/04: Issue 31 - Add status command and SkipNested support for MemberOf
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit 65499d461d28f9debf1671b6a07c9fc99e3beb66
Author: Ilias Stamatis <stamatis.iliass(a)gmail.com>
Date: Mon Jun 19 04:00:21 2017 +0300
Issue 31 - Add status command and SkipNested support for MemberOf
Description:
- Add a generic function for displaying plugin's status.
- Make sure that existing Plugin.status() works properly with py3.
- Add support for configuring memberOfSkipNested attr.
- Add dsconf support and cli tests for memberOfSkipNested attr.
- Define must-have attributes for MemberOf.
https://pagure.io/lib389/issue/31
Author: Ilias95
Review by: wibrown (Thanks, great work!)
---
lib389/cli_conf/plugin.py | 7 ++++++
lib389/cli_conf/plugins/memberof.py | 33 +++++++++++++++++++++++++-
lib389/plugins.py | 22 +++++++++++++----
lib389/tests/cli/conf_plugins/memberof_test.py | 31 +++++++++++++++++++++++-
4 files changed, 86 insertions(+), 7 deletions(-)
diff --git a/lib389/cli_conf/plugin.py b/lib389/cli_conf/plugin.py
index 2d02f87..70b75a0 100644
--- a/lib389/cli_conf/plugin.py
+++ b/lib389/cli_conf/plugin.py
@@ -76,6 +76,13 @@ def generic_disable(inst, basedn, log, args):
plugin.disable()
log.info("Disabled %s", plugin.rdn)
+def generic_status(inst, basedn, log, args):
+ plugin = args.plugin_cls(inst)
+ if plugin.status() == True:
+ log.info("%s is enabled", plugin.rdn)
+ else:
+ log.info("%s is disabled", plugin.rdn)
+
def create_parser(subparsers):
plugin_parser = subparsers.add_parser('plugin', help="Manage plugins
available on the server")
diff --git a/lib389/cli_conf/plugins/memberof.py b/lib389/cli_conf/plugins/memberof.py
index ceaecad..943a20d 100644
--- a/lib389/cli_conf/plugins/memberof.py
+++ b/lib389/cli_conf/plugins/memberof.py
@@ -9,7 +9,8 @@
import ldap
from lib389.plugins import MemberOfPlugin
-from lib389.cli_conf.plugin import generic_enable, generic_disable, generic_show
+from lib389.cli_conf.plugin import (
+ generic_enable, generic_disable, generic_status, generic_show)
def manage_attr(inst, basedn, log, args):
@@ -75,6 +76,24 @@ def disable_allbackends(inst, basedn, log, args):
plugin.disable_allbackends()
log.info("memberOfAllBackends disabled successfully")
+def display_skipnested(inst, basedn, log, args):
+ plugin = MemberOfPlugin(inst)
+ val = plugin.get_skipnested_formatted()
+ if not val:
+ log.info("memberOfSkipNested is not set")
+ else:
+ log.info(val)
+
+def enable_skipnested(inst, basedn, log, args):
+ plugin = MemberOfPlugin(inst)
+ plugin.enable_skipnested()
+ log.info("memberOfSkipNested set successfully")
+
+def disable_skipnested(inst, basedn, log, args):
+ plugin = MemberOfPlugin(inst)
+ plugin.disable_skipnested()
+ log.info("memberOfSkipNested unset successfully")
+
def manage_autoaddoc(inst, basedn, log, args):
if args.value == "del":
remove_autoaddoc(inst, basedn, log, args)
@@ -185,6 +204,9 @@ def create_parser(subparsers):
disable_parser = subcommands.add_parser('disable', help='disable memberof
plugin')
disable_parser.set_defaults(func=generic_disable, plugin_cls=MemberOfPlugin)
+ status_parser = subcommands.add_parser('status', help='display memberof
plugin status')
+ status_parser.set_defaults(func=generic_status, plugin_cls=MemberOfPlugin)
+
attr_parser = subcommands.add_parser('attr', help='get or set
memberofattr')
attr_parser.set_defaults(func=manage_attr)
attr_parser.add_argument('value', nargs='?', help='The value to
set as memberofattr')
@@ -209,6 +231,15 @@ def create_parser(subparsers):
off_allbackends_parser = allbackends_subcommands.add_parser('off',
help='disable all backends for memberof')
off_allbackends_parser.set_defaults(func=disable_allbackends)
+ skipnested_parser = subcommands.add_parser('skipnested', help='get or
manage memberofskipnested')
+ skipnested_parser.set_defaults(func=display_skipnested)
+ # argparse doesn't support optional subparsers in python2!
+ skipnested_subcommands = skipnested_parser.add_subparsers(help='action')
+ on_skipnested_parser = skipnested_subcommands.add_parser('on', help='skip
nested groups for memberof')
+ on_skipnested_parser.set_defaults(func=enable_skipnested)
+ off_skipnested_parser = skipnested_subcommands.add_parser('off',
help="don't skip nested groups for memberof")
+ off_skipnested_parser.set_defaults(func=disable_skipnested)
+
autoaddoc_parser = subcommands.add_parser('autoaddoc', help='get or set
memberofautoaddoc')
autoaddoc_parser.set_defaults(func=manage_autoaddoc)
autoaddoc_parser.add_argument('value', nargs='?',
choices=['nsmemberof', 'inetuser', 'inetadmin', 'del'],
diff --git a/lib389/plugins.py b/lib389/plugins.py
index bde4c92..57e983e 100644
--- a/lib389/plugins.py
+++ b/lib389/plugins.py
@@ -8,10 +8,11 @@
import ldap
import copy
+
from lib389.properties import *
from lib389._constants import *
-
from lib389._mapped_object import DSLdapObjects, DSLdapObject
+from lib389.utils import ensure_str
class Plugin(DSLdapObject):
_plugin_properties = {
@@ -42,9 +43,7 @@ class Plugin(DSLdapObject):
self.set('nsslapd-pluginEnabled', 'off')
def status(self):
- if self.get_attr_val('nsslapd-pluginEnabled') == 'on':
- return True
- return False
+ return ensure_str(self.get_attr_val('nsslapd-pluginEnabled')) ==
'on'
def create(self, rdn=None, properties=None, basedn=None):
# When we create plugins, we don't want people to have to consider all
@@ -167,7 +166,8 @@ class MemberOfPlugin(Plugin):
def __init__(self, instance, dn="cn=MemberOf Plugin,cn=plugins,cn=config",
batch=False):
super(MemberOfPlugin, self).__init__(instance, dn, batch)
- self._create_objectclasses = ['top', 'nsSlapdPlugin',
'extensibleObject']
+ self._create_objectclasses.extend(['extensibleObject'])
+ self._must_attributes.extend(['memberOfGroupAttr',
'memberOfAttr'])
def get_attr(self):
return self.get_attr_val('memberofattr')
@@ -202,6 +202,18 @@ class MemberOfPlugin(Plugin):
def disable_allbackends(self):
self.set('memberofallbackends', 'off')
+ def get_skipnested(self):
+ return self.get_attr_val('memberofskipnested')
+
+ def get_skipnested_formatted(self):
+ return self.display_attr('memberofskipnested')
+
+ def enable_skipnested(self):
+ self.set('memberofskipnested', 'on')
+
+ def disable_skipnested(self):
+ self.set('memberofskipnested', 'off')
+
def get_autoaddoc(self):
return self.get_attr_val('memberofautoaddoc')
diff --git a/lib389/tests/cli/conf_plugins/memberof_test.py
b/lib389/tests/cli/conf_plugins/memberof_test.py
index 4c8296a..e05b629 100644
--- a/lib389/tests/cli/conf_plugins/memberof_test.py
+++ b/lib389/tests/cli/conf_plugins/memberof_test.py
@@ -24,7 +24,7 @@ def topology(request):
# At the moment memberof plugin needs to be enabled in order to perform
# syntax checking. Additionally, we have to restart the server in order
- # for the action of enabling the pluging to take effect.
+ # for the action of enabling the plugin to take effect.
plugin.enable()
topology.standalone.restart()
topology.logcap.flush()
@@ -153,6 +153,35 @@ def test_disable_all_backends(topology):
assert topology.logcap.contains(": off")
topology.logcap.flush()
+def test_get_skipnested_when_not_set(topology):
+ args = FakeArgs()
+
+ memberof_cli.display_skipnested(topology.standalone, None, topology.logcap.log,
args)
+ assert topology.logcap.contains("memberOfSkipNested is not set")
+ topology.logcap.flush()
+
+def test_set_skipnested(topology):
+ args = FakeArgs()
+
+ memberof_cli.enable_skipnested(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("set successfully")
+ topology.logcap.flush()
+
+ memberof_cli.display_skipnested(topology.standalone, None, topology.logcap.log,
args)
+ assert topology.logcap.contains(": on")
+ topology.logcap.flush()
+
+def test_unset_skipnested(topology):
+ args = FakeArgs()
+
+ memberof_cli.disable_skipnested(topology.standalone, None, topology.logcap.log,
args)
+ assert topology.logcap.contains("unset successfully")
+ topology.logcap.flush()
+
+ memberof_cli.display_skipnested(topology.standalone, None, topology.logcap.log,
args)
+ assert topology.logcap.contains(": off")
+ topology.logcap.flush()
+
def test_set_autoaddoc(topology):
args = FakeArgs()
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
2501
days inactive
2501
days old
389-commits@lists.fedoraproject.org
4 comments
1 participants
participants (1)
-
git repository hosting