"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/keystone/tests/unit/test_ldap_livetest.py" (13 May 2020, 8258 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "test_ldap_livetest.py": 16.0.1_vs_17.0.0.

    1 # Copyright 2012 OpenStack Foundation
    2 #
    3 # Licensed under the Apache License, Version 2.0 (the "License"); you may
    4 # not use this file except in compliance with the License. You may obtain
    5 # a copy of the License at
    6 #
    7 #      http://www.apache.org/licenses/LICENSE-2.0
    8 #
    9 # Unless required by applicable law or agreed to in writing, software
   10 # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
   11 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
   12 # License for the specific language governing permissions and limitations
   13 # under the License.
   14 
   15 import subprocess
   16 
   17 import ldap.modlist
   18 
   19 from keystone.common import provider_api
   20 import keystone.conf
   21 from keystone import exception
   22 from keystone.identity.backends import ldap as identity_ldap
   23 from keystone.tests import unit
   24 from keystone.tests.unit import test_backend_ldap
   25 
   26 
   27 CONF = keystone.conf.CONF
   28 PROVIDERS = provider_api.ProviderAPIs
   29 
   30 
   31 def create_object(dn, attrs):
   32     conn = ldap.initialize(CONF.ldap.url)
   33     conn.simple_bind_s(CONF.ldap.user, CONF.ldap.password)
   34     ldif = ldap.modlist.addModlist(attrs)
   35     conn.add_s(dn, ldif)
   36     conn.unbind_s()
   37 
   38 
   39 class LiveLDAPIdentity(test_backend_ldap.LDAPIdentity):
   40 
   41     def setUp(self):
   42         self._ldap_skip_live()
   43         super(LiveLDAPIdentity, self).setUp()
   44 
   45     def _ldap_skip_live(self):
   46         self.skip_if_env_not_set('ENABLE_LDAP_LIVE_TEST')
   47 
   48     def clear_database(self):
   49         devnull = open('/dev/null', 'w')
   50         subprocess.call(['ldapdelete',
   51                          '-x',
   52                          '-D', CONF.ldap.user,
   53                          '-H', CONF.ldap.url,
   54                          '-w', CONF.ldap.password,
   55                          '-r', CONF.ldap.suffix],
   56                         stderr=devnull)
   57 
   58         if CONF.ldap.suffix.startswith('ou='):
   59             tree_dn_attrs = {'objectclass': 'organizationalUnit',
   60                              'ou': 'openstack'}
   61         else:
   62             tree_dn_attrs = {'objectclass': ['dcObject', 'organizationalUnit'],
   63                              'dc': 'openstack',
   64                              'ou': 'openstack'}
   65         create_object(CONF.ldap.suffix, tree_dn_attrs)
   66         create_object(CONF.ldap.user_tree_dn,
   67                       {'objectclass': 'organizationalUnit',
   68                        'ou': 'Users'})
   69         create_object(CONF.ldap.group_tree_dn,
   70                       {'objectclass': 'organizationalUnit',
   71                        'ou': 'UserGroups'})
   72 
   73     def config_files(self):
   74         config_files = super(LiveLDAPIdentity, self).config_files()
   75         config_files.append(unit.dirs.tests_conf('backend_liveldap.conf'))
   76         return config_files
   77 
   78     def test_build_tree(self):
   79         """Regression test for building the tree names."""
   80         # logic is different from the fake backend.
   81         user_api = identity_ldap.UserApi(CONF)
   82         self.assertTrue(user_api)
   83         self.assertEqual(CONF.ldap.user_tree_dn, user_api.tree_dn)
   84 
   85     def test_ldap_dereferencing(self):
   86         alt_users_ldif = {'objectclass': ['top', 'organizationalUnit'],
   87                           'ou': 'alt_users'}
   88         alt_fake_user_ldif = {'objectclass': ['person', 'inetOrgPerson'],
   89                               'cn': 'alt_fake1',
   90                               'sn': 'alt_fake1'}
   91         aliased_users_ldif = {'objectclass': ['alias', 'extensibleObject'],
   92                               'aliasedobjectname': "ou=alt_users,%s" %
   93                               CONF.ldap.suffix}
   94         create_object("ou=alt_users,%s" % CONF.ldap.suffix, alt_users_ldif)
   95         create_object("%s=alt_fake1,ou=alt_users,%s" %
   96                       (CONF.ldap.user_id_attribute, CONF.ldap.suffix),
   97                       alt_fake_user_ldif)
   98         create_object("ou=alt_users,%s" % CONF.ldap.user_tree_dn,
   99                       aliased_users_ldif)
  100 
  101         self.config_fixture.config(group='ldap',
  102                                    query_scope='sub',
  103                                    alias_dereferencing='never')
  104         PROVIDERS.identity_api = identity_ldap.Identity()
  105         self.assertRaises(exception.UserNotFound,
  106                           PROVIDERS.identity_api.get_user,
  107                           'alt_fake1')
  108 
  109         self.config_fixture.config(group='ldap',
  110                                    alias_dereferencing='searching')
  111         PROVIDERS.identity_api = identity_ldap.Identity()
  112         user_ref = PROVIDERS.identity_api.get_user('alt_fake1')
  113         self.assertEqual('alt_fake1', user_ref['id'])
  114 
  115         self.config_fixture.config(group='ldap', alias_dereferencing='always')
  116         PROVIDERS.identity_api = identity_ldap.Identity()
  117         user_ref = PROVIDERS.identity_api.get_user('alt_fake1')
  118         self.assertEqual('alt_fake1', user_ref['id'])
  119 
  120     # FakeLDAP does not correctly process filters, so this test can only be
  121     # run against a live LDAP server
  122     def test_list_groups_for_user_filtered(self):
  123         domain = self._get_domain_fixture()
  124         test_groups = []
  125         test_users = []
  126         GROUP_COUNT = 3
  127         USER_COUNT = 2
  128 
  129         positive_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
  130         negative_user = unit.create_user(PROVIDERS.identity_api, domain['id'])
  131 
  132         for x in range(0, USER_COUNT):
  133             group_refs = PROVIDERS.identity_api.list_groups_for_user(
  134                 test_users[x]['id'])
  135             self.assertEqual(0, len(group_refs))
  136 
  137         for x in range(0, GROUP_COUNT):
  138             new_group = unit.new_group_ref(domain_id=domain['id'])
  139             new_group = PROVIDERS.identity_api.create_group(new_group)
  140             test_groups.append(new_group)
  141 
  142             group_refs = PROVIDERS.identity_api.list_groups_for_user(
  143                 positive_user['id'])
  144             self.assertEqual(x, len(group_refs))
  145 
  146             PROVIDERS.identity_api.add_user_to_group(
  147                 positive_user['id'],
  148                 new_group['id'])
  149             group_refs = PROVIDERS.identity_api.list_groups_for_user(
  150                 positive_user['id'])
  151             self.assertEqual(x + 1, len(group_refs))
  152 
  153             group_refs = PROVIDERS.identity_api.list_groups_for_user(
  154                 negative_user['id'])
  155             self.assertEqual(0, len(group_refs))
  156 
  157         driver = PROVIDERS.identity_api._select_identity_driver(
  158             CONF.identity.default_domain_id)
  159         driver.group.ldap_filter = '(dn=xx)'
  160 
  161         group_refs = PROVIDERS.identity_api.list_groups_for_user(
  162             positive_user['id'])
  163         self.assertEqual(0, len(group_refs))
  164         group_refs = PROVIDERS.identity_api.list_groups_for_user(
  165             negative_user['id'])
  166         self.assertEqual(0, len(group_refs))
  167 
  168         driver.group.ldap_filter = '(objectclass=*)'
  169 
  170         group_refs = PROVIDERS.identity_api.list_groups_for_user(
  171             positive_user['id'])
  172         self.assertEqual(GROUP_COUNT, len(group_refs))
  173         group_refs = PROVIDERS.identity_api.list_groups_for_user(
  174             negative_user['id'])
  175         self.assertEqual(0, len(group_refs))
  176 
  177     def test_user_enable_attribute_mask(self):
  178         self.config_fixture.config(
  179             group='ldap',
  180             user_enabled_emulation=False,
  181             user_enabled_attribute='employeeType')
  182         super(LiveLDAPIdentity, self).test_user_enable_attribute_mask()
  183 
  184     def test_create_project_case_sensitivity(self):
  185         # The attribute used for the live LDAP tests is case insensitive.
  186 
  187         def call_super():
  188             (super(LiveLDAPIdentity, self).
  189                 test_create_project_case_sensitivity())
  190 
  191         self.assertRaises(exception.Conflict, call_super)
  192 
  193     def test_create_user_case_sensitivity(self):
  194         # The attribute used for the live LDAP tests is case insensitive.
  195 
  196         def call_super():
  197             super(LiveLDAPIdentity, self).test_create_user_case_sensitivity()
  198 
  199         self.assertRaises(exception.Conflict, call_super)
  200 
  201     def test_project_update_missing_attrs_with_a_falsey_value(self):
  202         # The description attribute doesn't allow an empty value.
  203 
  204         def call_super():
  205             (super(LiveLDAPIdentity, self).
  206                 test_project_update_missing_attrs_with_a_falsey_value())
  207 
  208         self.assertRaises(ldap.INVALID_SYNTAX, call_super)