mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-09 07:43:01 -06:00
ef955c9015
LDAPSearch class constructs a filter from a set of attributes and their values passed in by the command. During this construction process a limited set of attributes gets converted to a special form, the rest is simply taken as a string and escaped according to LDAP rules. This means DateTime class would simply be converted to string using str(DateTime) and that uses default formatting method. For LDAP we need to apply a specific formatting method instead. Following LDAP attributes now handled as datetime.datetime: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) ( 2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP') ( 2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP') Fixes: https://pagure.io/freeipa/issue/9395 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Antonio Torres <antorres@redhat.com>
364 lines
11 KiB
Python
364 lines
11 KiB
Python
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# Test some simple LDAP requests using the ldap2 backend
|
|
|
|
# This fetches a certificate from a host principal so we can ensure that the
|
|
# schema is working properly. We know this because the schema will tell the
|
|
# encoder not to utf-8 encode binary attributes.
|
|
|
|
# The DM password needs to be set in ~/.ipa/.dmpw
|
|
|
|
from __future__ import absolute_import
|
|
|
|
from datetime import datetime, timedelta
|
|
import os
|
|
import sys
|
|
|
|
import pytest
|
|
import six
|
|
|
|
from ipaplatform.paths import paths
|
|
from ipaserver.plugins.ldap2 import ldap2, AUTOBIND_DISABLED
|
|
from ipalib import api, create_api, errors
|
|
from ipapython.dn import DN
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
|
|
@pytest.mark.tier0
|
|
@pytest.mark.needs_ipaapi
|
|
class test_ldap:
|
|
"""
|
|
Test various LDAP client bind methods.
|
|
"""
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def ldap_setup(self, request):
|
|
self.conn = None
|
|
self.ldapuri = api.env.ldap_uri
|
|
self.dn = DN(('krbprincipalname','ldap/%s@%s' % (api.env.host, api.env.realm)),
|
|
('cn','services'),('cn','accounts'),api.env.basedn)
|
|
|
|
def fin():
|
|
if self.conn and self.conn.isconnected():
|
|
self.conn.disconnect()
|
|
request.addfinalizer(fin)
|
|
|
|
def test_anonymous(self):
|
|
"""
|
|
Test an anonymous LDAP bind using ldap2
|
|
"""
|
|
self.conn = ldap2(api)
|
|
self.conn.connect(autobind=AUTOBIND_DISABLED)
|
|
dn = api.env.basedn
|
|
entry_attrs = self.conn.get_entry(dn, ['associateddomain'])
|
|
domain = entry_attrs.single_value['associateddomain']
|
|
assert domain == api.env.domain
|
|
|
|
def test_GSSAPI(self):
|
|
"""
|
|
Test a GSSAPI LDAP bind using ldap2
|
|
"""
|
|
self.conn = ldap2(api)
|
|
self.conn.connect(autobind=AUTOBIND_DISABLED)
|
|
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
|
|
cert = entry_attrs.get('usercertificate')[0]
|
|
assert cert.serial_number is not None
|
|
|
|
def test_simple(self):
|
|
"""
|
|
Test a simple LDAP bind using ldap2
|
|
"""
|
|
pwfile = api.env.dot_ipa + os.sep + ".dmpw"
|
|
if os.path.isfile(pwfile):
|
|
with open(pwfile, "r") as fp:
|
|
dm_password = fp.read().rstrip()
|
|
else:
|
|
pytest.skip(
|
|
"No directory manager password in %s" % pwfile
|
|
)
|
|
self.conn = ldap2(api)
|
|
self.conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password)
|
|
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
|
|
cert = entry_attrs.get('usercertificate')[0]
|
|
assert cert.serial_number is not None
|
|
|
|
def test_Backend(self):
|
|
"""
|
|
Test using the ldap2 Backend directly (ala ipa-server-install)
|
|
"""
|
|
|
|
# Create our own api because the one generated for the tests is
|
|
# a client-only api. Then we register in the commands and objects
|
|
# we need for the test.
|
|
myapi = create_api(mode=None)
|
|
myapi.bootstrap(context='cli', in_server=True, confdir=paths.ETC_IPA)
|
|
myapi.finalize()
|
|
|
|
pwfile = api.env.dot_ipa + os.sep + ".dmpw"
|
|
if os.path.isfile(pwfile):
|
|
with open(pwfile, "r") as fp:
|
|
dm_password = fp.read().rstrip()
|
|
else:
|
|
pytest.skip(
|
|
"No directory manager password in %s" % pwfile
|
|
)
|
|
myapi.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=dm_password)
|
|
|
|
result = myapi.Command['service_show']('ldap/%s@%s' % (api.env.host, api.env.realm,))
|
|
entry_attrs = result['result']
|
|
cert = entry_attrs.get('usercertificate')[0]
|
|
assert cert.serial_number is not None
|
|
|
|
def test_autobind(self):
|
|
"""
|
|
Test an autobind LDAP bind using ldap2
|
|
"""
|
|
self.conn = ldap2(api)
|
|
try:
|
|
self.conn.connect(autobind=True)
|
|
except errors.ACIError:
|
|
pytest.skip("Only executed as root")
|
|
entry_attrs = self.conn.get_entry(self.dn, ['usercertificate'])
|
|
cert = entry_attrs.get('usercertificate')[0]
|
|
assert cert.serial_number is not None
|
|
|
|
def test_generalized_time(self):
|
|
"""
|
|
Test that LDAP generalized time is converted to/from datetime
|
|
"""
|
|
self.conn = ldap2(api)
|
|
try:
|
|
self.conn.connect(autobind=True)
|
|
except errors.ACIError:
|
|
pytest.skip("Only executed as root")
|
|
if not api.Backend.rpcclient.isconnected():
|
|
api.Backend.rpcclient.connect()
|
|
newdate = datetime.now() + timedelta(days=365)
|
|
lastdate = api.Backend.ldap2.encode(newdate).decode('utf-8')
|
|
api.Command["user_mod"](
|
|
"admin",
|
|
**dict(setattr=("krbprincipalexpiration=%s" % lastdate))
|
|
)
|
|
result = api.Command["user_find"](
|
|
**dict(krbprincipalexpiration=lastdate)
|
|
)
|
|
assert result['count'] == 1
|
|
|
|
|
|
@pytest.mark.tier0
|
|
@pytest.mark.needs_ipaapi
|
|
class test_LDAPEntry:
|
|
"""
|
|
Test the LDAPEntry class
|
|
"""
|
|
cn1 = [u'test1']
|
|
cn2 = [u'test2']
|
|
dn1 = DN(('cn', cn1[0]))
|
|
dn2 = DN(('cn', cn2[0]))
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def ldapentry_setup(self, request):
|
|
self.ldapuri = api.env.ldap_uri
|
|
self.conn = ldap2(api)
|
|
self.conn.connect(autobind=AUTOBIND_DISABLED)
|
|
|
|
self.entry = self.conn.make_entry(self.dn1, cn=self.cn1)
|
|
|
|
def fin():
|
|
if self.conn and self.conn.isconnected():
|
|
self.conn.disconnect()
|
|
request.addfinalizer(fin)
|
|
|
|
def test_entry(self):
|
|
e = self.entry
|
|
assert e.dn is self.dn1
|
|
assert u'cn' in e
|
|
assert u'cn' in e.keys()
|
|
assert 'CN' in e
|
|
if six.PY2:
|
|
assert 'CN' not in e.keys()
|
|
else:
|
|
assert 'CN' in e.keys()
|
|
assert 'commonName' in e
|
|
if six.PY2:
|
|
assert 'commonName' not in e.keys()
|
|
else:
|
|
assert 'commonName' in e.keys()
|
|
assert e['CN'] is self.cn1
|
|
assert e['CN'] is e[u'cn']
|
|
|
|
e.dn = self.dn2
|
|
assert e.dn is self.dn2
|
|
|
|
def test_set_attr(self):
|
|
e = self.entry
|
|
e['commonName'] = self.cn2
|
|
assert u'cn' in e
|
|
assert u'cn' in e.keys()
|
|
assert 'CN' in e
|
|
if six.PY2:
|
|
assert 'CN' not in e.keys()
|
|
else:
|
|
assert 'CN' in e.keys()
|
|
assert 'commonName' in e
|
|
if six.PY2:
|
|
assert 'commonName' not in e.keys()
|
|
else:
|
|
assert 'commonName' in e.keys()
|
|
assert e['CN'] is self.cn2
|
|
assert e['CN'] is e[u'cn']
|
|
|
|
def test_del_attr(self):
|
|
e = self.entry
|
|
del e['CN']
|
|
assert 'CN' not in e
|
|
assert 'CN' not in e.keys()
|
|
assert u'cn' not in e
|
|
assert u'cn' not in e.keys()
|
|
assert 'commonName' not in e
|
|
assert 'commonName' not in e.keys()
|
|
|
|
def test_popitem(self):
|
|
e = self.entry
|
|
assert e.popitem() == ('cn', self.cn1)
|
|
assert list(e) == []
|
|
|
|
def test_setdefault(self):
|
|
e = self.entry
|
|
assert e.setdefault('cn', self.cn2) == self.cn1
|
|
assert e['cn'] == self.cn1
|
|
assert e.setdefault('xyz', self.cn2) == self.cn2
|
|
assert e['xyz'] == self.cn2
|
|
|
|
def test_update(self):
|
|
e = self.entry
|
|
e.update({'cn': self.cn2}, xyz=self.cn2)
|
|
assert e['cn'] == self.cn2
|
|
assert e['xyz'] == self.cn2
|
|
|
|
def test_pop(self):
|
|
e = self.entry
|
|
assert e.pop('cn') == self.cn1
|
|
assert 'cn' not in e
|
|
assert e.pop('cn', 'default') == 'default'
|
|
with pytest.raises(KeyError):
|
|
e.pop('cn')
|
|
|
|
def test_clear(self):
|
|
e = self.entry
|
|
e.clear()
|
|
assert not e
|
|
assert 'cn' not in e
|
|
|
|
@pytest.mark.skipif(sys.version_info >= (3, 0), reason="Python 2 only")
|
|
def test_has_key(self):
|
|
e = self.entry
|
|
assert not e.has_key('xyz') # noqa
|
|
assert e.has_key('cn') # noqa
|
|
assert e.has_key('COMMONNAME') # noqa
|
|
|
|
def test_in(self):
|
|
e = self.entry
|
|
assert 'xyz' not in e
|
|
assert 'cn' in e
|
|
assert 'COMMONNAME' in e
|
|
|
|
def test_get(self):
|
|
e = self.entry
|
|
assert e.get('cn') == self.cn1
|
|
assert e.get('commonname') == self.cn1
|
|
assert e.get('COMMONNAME', 'default') == self.cn1
|
|
assert e.get('bad key', 'default') == 'default'
|
|
|
|
def test_single_value(self):
|
|
e = self.entry
|
|
assert e.single_value['cn'] == self.cn1[0]
|
|
assert e.single_value['commonname'] == self.cn1[0]
|
|
assert e.single_value.get('COMMONNAME', 'default') == self.cn1[0]
|
|
assert e.single_value.get('bad key', 'default') == 'default'
|
|
|
|
def test_sync(self):
|
|
e = self.entry
|
|
|
|
nice = e['test'] = [1, 2, 3]
|
|
assert e['test'] is nice
|
|
|
|
raw = e.raw['test']
|
|
assert raw == [b'1', b'2', b'3']
|
|
|
|
nice.remove(1)
|
|
assert e.raw['test'] is raw
|
|
assert raw == [b'2', b'3']
|
|
|
|
raw.append(b'4')
|
|
assert e['test'] is nice
|
|
assert nice == [2, 3, u'4']
|
|
|
|
nice.remove(2)
|
|
raw.append(b'5')
|
|
assert nice == [3, u'4']
|
|
assert raw == [b'2', b'3', b'4', b'5']
|
|
assert e['test'] is nice
|
|
assert e.raw['test'] is raw
|
|
assert nice == [3, u'4', u'5']
|
|
assert raw == [b'3', b'4', b'5']
|
|
|
|
nice.insert(0, 2)
|
|
raw.remove(b'4')
|
|
assert nice == [2, 3, u'4', u'5']
|
|
assert raw == [b'3', b'5']
|
|
assert e.raw['test'] is raw
|
|
assert e['test'] is nice
|
|
assert nice == [2, 3, u'5']
|
|
assert raw == [b'3', b'5', b'2']
|
|
|
|
raw = [b'a', b'b']
|
|
e.raw['test'] = raw
|
|
assert e['test'] is not nice
|
|
assert e['test'] == [u'a', u'b']
|
|
|
|
nice = 'not list'
|
|
e['test'] = nice
|
|
assert e['test'] is nice
|
|
assert e.raw['test'] == [b'not list']
|
|
|
|
e.raw['test'].append(b'second')
|
|
assert e['test'] == ['not list', u'second']
|
|
|
|
def test_modlist_with_varying_encodings(self):
|
|
"""
|
|
Test modlist is correct when only encoding of new value differs
|
|
|
|
See: https://bugzilla.redhat.com/show_bug.cgi?id=1658302
|
|
"""
|
|
dn_ipa_encoded = b'O=Red Hat\\, Inc.'
|
|
dn_389ds_encoded = b'O=Red Hat\\2C Inc.'
|
|
entry = self.entry
|
|
entry.raw['distinguishedName'] = [dn_389ds_encoded]
|
|
# This is to make entry believe that that value was part of the
|
|
# original data we received from LDAP
|
|
entry.reset_modlist()
|
|
entry['distinguishedName'] = [entry['distinguishedName'][0]]
|
|
assert entry.generate_modlist() == [
|
|
(1, 'distinguishedName', [dn_389ds_encoded]),
|
|
(0, 'distinguishedName', [dn_ipa_encoded])]
|