freeipa/tests/test_ipaserver/test_ldap.py

# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2010  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Test some simple LDAP requests using the ldap2 backend

# This fetches a certificate from a host principal so we can ensure that the
# schema is working properly. We know this because the schema will tell the
# encoder not to utf-8 encode binary attributes.

# The DM password needs to be set in ~/.ipa/.dmpw

import nose
import os
from ipaserver.plugins.ldap2 import ldap2
from ipalib.plugins.service import service, service_show
from ipalib.plugins.host import host
import nss.nss as nss
from ipalib import api, x509, create_api, errors
from ipapython import ipautil
from ipalib.dn import *

class test_ldap(object):
    """
    Test various LDAP client bind methods.
    """

    def setUp(self):
        self.conn = None
        self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host)
        self.ccache = '/tmp/krb5cc_%d' % os.getuid()
        nss.nss_init_nodb()
        self.dn = str(DN(('krbprincipalname','ldap/%s@%s' % (api.env.host, api.env.realm)),
                         ('cn','services'),('cn','accounts'),api.env.basedn))

    def tearDown(self):
        if self.conn and self.conn.isconnected():
            self.conn.disconnect()

    def test_anonymous(self):
        """
        Test an anonymous LDAP bind using ldap2
        """
        self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
        self.conn.connect()
        (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
        cert = entry_attrs.get('usercertificate')
        cert = cert[0]
        serial = unicode(x509.get_serial_number(cert, x509.DER))
        assert serial is not None

    def test_GSSAPI(self):
        """
        Test a GSSAPI LDAP bind using ldap2
        """
        if not ipautil.file_exists(self.ccache):
            raise nose.SkipTest('Missing ccache %s' % self.ccache)
        self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
        self.conn.connect(ccache='FILE:%s' % self.ccache)
        (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
        cert = entry_attrs.get('usercertificate')
        cert = cert[0]
        serial = unicode(x509.get_serial_number(cert, x509.DER))
        assert serial is not None

    def test_simple(self):
        """
        Test a simple LDAP bind using ldap2
        """
        pwfile = api.env.dot_ipa + os.sep + ".dmpw"
        if ipautil.file_exists(pwfile):
            fp = open(pwfile, "r")
            dm_password = fp.read().rstrip()
            fp.close()
        else:
            raise nose.SkipTest("No directory manager password in %s" % pwfile)
        self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)
        self.conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)
        (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
        cert = entry_attrs.get('usercertificate')
        cert = cert[0]
        serial = unicode(x509.get_serial_number(cert, x509.DER))
        assert serial is not None

    def test_Backend(self):
        """
        Test using the ldap2 Backend directly (ala ipa-server-install)
        """

        # Create our own api because the one generated for the tests is
        # a client-only api. Then we register in the commands and objects
        # we need for the test.
        myapi = create_api(mode=None)
        myapi.bootstrap(context='cli', in_server=True, in_tree=True)
        myapi.register(ldap2)
        myapi.register(host)
        myapi.register(service)
        myapi.register(service_show)
        myapi.finalize()
        myapi.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw='password')

        result = myapi.Command['service_show']('ldap/%s@%s' %  (api.env.host, api.env.realm,))
        entry_attrs = result['result']
        cert = entry_attrs.get('usercertificate')
        cert = cert[0]
        serial = unicode(x509.get_serial_number(cert, x509.DER))
        assert serial is not None

    def test_autobind(self):
        """
        Test an autobind LDAP bind using ldap2
        """
        ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')
        self.conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
        try:
            self.conn.connect(autobind=True)
        except errors.DatabaseError, e:
            if e.desc == 'Inappropriate authentication':
                raise nose.SkipTest("Only executed as root")
        (dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])
        cert = entry_attrs.get('usercertificate')
        cert = cert[0]
        serial = unicode(x509.get_serial_number(cert, x509.DER))
        assert serial is not None
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`# Authors:`
			`# Rob Crittenden <rcritten@redhat.com>`
			`#`
			`# Copyright (C) 2010 Red Hat`
			`# see file 'COPYING' for use and warranty information`
			`#`
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 2010-12-09 06:59:11 -06:00			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 2010-12-09 06:59:11 -06:00			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00
			`# Test some simple LDAP requests using the ldap2 backend`

			`# This fetches a certificate from a host principal so we can ensure that the`
			`# schema is working properly. We know this because the schema will tell the`
			`# encoder not to utf-8 encode binary attributes.`

			`# The DM password needs to be set in ~/.ipa/.dmpw`

			`import nose`
			`import os`
			`from ipaserver.plugins.ldap2 import ldap2`
			`from ipalib.plugins.service import service, service_show`
Fix LDAP client backend failing test case 2010-09-30 16:49:32 -05:00			`from ipalib.plugins.host import host`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`import nss.nss as nss`
Add plugin framework to LDAP updates. There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032 2011-11-23 15:52:40 -06:00			`from ipalib import api, x509, create_api, errors`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`from ipapython import ipautil`
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision. 2011-08-09 20:21:56 -05:00			`from ipalib.dn import *`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00
			`class test_ldap(object):`
			`"""`
			`Test various LDAP client bind methods.`
			`"""`

			`def setUp(self):`
			`self.conn = None`
Add a function for formatting network locations of the form host:port for use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869 2011-09-30 03:09:55 -05:00			`self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host)`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`self.ccache = '/tmp/krb5cc_%d' % os.getuid()`
			`nss.nss_init_nodb()`
ticket 1600 - convert unittests to use DN objects We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision. 2011-08-09 20:21:56 -05:00			`self.dn = str(DN(('krbprincipalname','ldap/%s@%s' % (api.env.host, api.env.realm)),`
			`('cn','services'),('cn','accounts'),api.env.basedn))`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00
			`def tearDown(self):`
Add plugin framework to LDAP updates. There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032 2011-11-23 15:52:40 -06:00			`if self.conn and self.conn.isconnected():`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`self.conn.disconnect()`

			`def test_anonymous(self):`
			`"""`
			`Test an anonymous LDAP bind using ldap2`
			`"""`
			`self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)`
			`self.conn.connect()`
			`(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])`
			`cert = entry_attrs.get('usercertificate')`
			`cert = cert[0]`
			`serial = unicode(x509.get_serial_number(cert, x509.DER))`
			`assert serial is not None`

			`def test_GSSAPI(self):`
			`"""`
			`Test a GSSAPI LDAP bind using ldap2`
			`"""`
			`if not ipautil.file_exists(self.ccache):`
			`raise nose.SkipTest('Missing ccache %s' % self.ccache)`
			`self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)`
			`self.conn.connect(ccache='FILE:%s' % self.ccache)`
			`(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])`
			`cert = entry_attrs.get('usercertificate')`
			`cert = cert[0]`
			`serial = unicode(x509.get_serial_number(cert, x509.DER))`
			`assert serial is not None`

			`def test_simple(self):`
			`"""`
			`Test a simple LDAP bind using ldap2`
			`"""`
			`pwfile = api.env.dot_ipa + os.sep + ".dmpw"`
			`if ipautil.file_exists(pwfile):`
			`fp = open(pwfile, "r")`
			`dm_password = fp.read().rstrip()`
			`fp.close()`
			`else:`
			`raise nose.SkipTest("No directory manager password in %s" % pwfile)`
			`self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri)`
			`self.conn.connect(bind_dn='cn=directory manager', bind_pw=dm_password)`
			`(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])`
			`cert = entry_attrs.get('usercertificate')`
			`cert = cert[0]`
			`serial = unicode(x509.get_serial_number(cert, x509.DER))`
			`assert serial is not None`

			`def test_Backend(self):`
			`"""`
			`Test using the ldap2 Backend directly (ala ipa-server-install)`
			`"""`

			`# Create our own api because the one generated for the tests is`
			`# a client-only api. Then we register in the commands and objects`
			`# we need for the test.`
			`myapi = create_api(mode=None)`
			`myapi.bootstrap(context='cli', in_server=True, in_tree=True)`
			`myapi.register(ldap2)`
Fix LDAP client backend failing test case 2010-09-30 16:49:32 -05:00			`myapi.register(host)`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`myapi.register(service)`
			`myapi.register(service_show)`
			`myapi.finalize()`
			`myapi.Backend.ldap2.connect(bind_dn="cn=Directory Manager", bind_pw='password')`

Fix LDAP client backend failing test case 2010-09-30 16:49:32 -05:00			`result = myapi.Command['service_show']('ldap/%s@%s' % (api.env.host, api.env.realm,))`
Add some tests for using the ldap2 Backend. Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that. 2010-09-09 15:24:12 -05:00			`entry_attrs = result['result']`
			`cert = entry_attrs.get('usercertificate')`
			`cert = cert[0]`
			`serial = unicode(x509.get_serial_number(cert, x509.DER))`
			`assert serial is not None`
Add plugin framework to LDAP updates. There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032 2011-11-23 15:52:40 -06:00
			`def test_autobind(self):`
			`"""`
			`Test an autobind LDAP bind using ldap2`
			`"""`
			`ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % api.env.realm.replace('.','-')`
			`self.conn = ldap2(shared_instance=False, ldap_uri=ldapuri)`
			`try:`
			`self.conn.connect(autobind=True)`
			`except errors.DatabaseError, e:`
			`if e.desc == 'Inappropriate authentication':`
			`raise nose.SkipTest("Only executed as root")`
			`(dn, entry_attrs) = self.conn.get_entry(self.dn, ['usercertificate'])`
			`cert = entry_attrs.get('usercertificate')`
			`cert = cert[0]`
			`serial = unicode(x509.get_serial_number(cert, x509.DER))`
			`assert serial is not None`