From 0f309fee0e2b337ee333d9ce80a6c64d6f7161ef Mon Sep 17 00:00:00 2001

From: Viktor Ashirov <vashirov@redhat.com>

Date: Thu, 12 Nov 2020 17:53:09 +0100

Subject: [PATCH] Backport tests from master branch, fix failing tests (#4425)

Relates: #2820

Reviewed by: mreynolds (Thanks!)

---

 dirsrvtests/tests/suites/acl/acivattr_test.py |  50 +--

 dirsrvtests/tests/suites/acl/acl_deny_test.py |  10 +-

 dirsrvtests/tests/suites/acl/acl_test.py      |  26 +-

 .../acl/default_aci_allows_self_write.py      |   4 +-

 dirsrvtests/tests/suites/acl/deladd_test.py   |  54 ++--

 .../suites/acl/enhanced_aci_modrnd_test.py    |  22 +-

 .../suites/acl/globalgroup_part2_test.py      |  36 ++-

 .../tests/suites/acl/globalgroup_test.py      |  16 +-

 .../tests/suites/acl/keywords_part2_test.py   |  30 +-

 dirsrvtests/tests/suites/acl/keywords_test.py |  71 ++---

 dirsrvtests/tests/suites/acl/misc_test.py     | 104 +++---

 dirsrvtests/tests/suites/acl/modrdn_test.py   | 180 +++++------

 dirsrvtests/tests/suites/acl/roledn_test.py   |   4 +-

 .../suites/acl/selfdn_permissions_test.py     |  23 +-

 dirsrvtests/tests/suites/acl/syntax_test.py   |  56 ++--

 dirsrvtests/tests/suites/acl/userattr_test.py |   6 +-

 .../tests/suites/acl/valueacl_part2_test.py   | 107 ++++---

 dirsrvtests/tests/suites/acl/valueacl_test.py | 207 ++++++------

 dirsrvtests/tests/suites/basic/basic_test.py  |  23 +-

 .../tests/suites/ds_logs/ds_logs_test.py      | 301 ++++++++++++++----

 .../filter/rfc3673_all_oper_attrs_test.py     |  23 +-

 .../suites/mapping_tree/acceptance_test.py    |  65 ++++

 .../be_del_and_default_naming_attr_test.py    |  17 +-

 .../password/pwdPolicy_attribute_test.py      |   9 +-

 .../suites/replication/changelog_test.py      |   6 +-

 .../replication/conflict_resolve_test.py      |   4 +-

 .../tests/suites/replication/rfc2307compat.py | 174 ++++++++++

 dirsrvtests/tests/suites/roles/__init__.py    |   3 +

 dirsrvtests/tests/suites/roles/basic_test.py  |  83 ++---

 .../tests/suites/sasl/regression_test.py      |  21 +-

 .../tests/suites/syncrepl_plugin/__init__.py  | 163 ++++++++++

 .../suites/syncrepl_plugin/basic_test.py      |  66 ++--

 .../tests/suites/vlv/regression_test.py       |   2 +-

 33 files changed, 1319 insertions(+), 647 deletions(-)

 create mode 100644 dirsrvtests/tests/suites/mapping_tree/acceptance_test.py

 create mode 100644 dirsrvtests/tests/suites/replication/rfc2307compat.py

 create mode 100644 dirsrvtests/tests/suites/roles/__init__.py

 create mode 100644 dirsrvtests/tests/suites/syncrepl_plugin/__init__.py

diff --git a/dirsrvtests/tests/suites/acl/acivattr_test.py b/dirsrvtests/tests/suites/acl/acivattr_test.py

index 35759f36e..d55eea023 100644

--- a/dirsrvtests/tests/suites/acl/acivattr_test.py

+++ b/dirsrvtests/tests/suites/acl/acivattr_test.py

@@ -174,18 +174,19 @@ LDAPURL_ACI = '(targetattr="*")(version 3.0; acl "url"; allow (all) userdn="ldap

     '(ENG_USER, ENG_MANAGER, LDAPURL_ACI)',

 ])

 def test_positive(topo, _add_user, aci_of_user, user, entry, aci):

-    """

-        :id: ba6d5e9c-786b-11e8-860d-8c16451d917b

-        :parametrized: yes

-        :setup: server

-        :steps:

-            1. Add test entry

-            2. Add ACI

-            3. ACI role should be followed

-        :expectedresults:

-            1. Entry should be added

-            2. Operation should  succeed

-            3. Operation should  succeed

+    """Positive testing of ACLs

+

+    :id: ba6d5e9c-786b-11e8-860d-8c16451d917b

+    :parametrized: yes

+    :setup: server

+    :steps:

+        1. Add test entry

+        2. Add ACI

+        3. ACI role should be followed

+    :expectedresults:

+        1. Entry should be added

+        2. Operation should succeed

+        3. Operation should succeed

     """

     # set aci

     Domain(topo.standalone, DNBASE).set("aci", aci)

@@ -225,18 +226,19 @@ def test_positive(topo, _add_user, aci_of_user, user, entry, aci):

 ])

 def test_negative(topo, _add_user, aci_of_user, user, entry, aci):

-    """

-        :id: c4c887c2-786b-11e8-a328-8c16451d917b

-        :parametrized: yes

-        :setup: server

-        :steps:

-            1. Add test entry

-            2. Add ACI

-            3. ACI role should be followed

-        :expectedresults:

-            1. Entry should be added

-            2. Operation should  succeed

-            3. Operation should  succeed

+    """Negative testing of ACLs

+

+    :id: c4c887c2-786b-11e8-a328-8c16451d917b

+    :parametrized: yes

+    :setup: server

+    :steps:

+        1. Add test entry

+        2. Add ACI

+        3. ACI role should be followed

+    :expectedresults:

+        1. Entry should be added

+        2. Operation should succeed

+        3. Operation should not succeed

     """

     # set aci

     Domain(topo.standalone, DNBASE).set("aci", aci)

diff --git a/dirsrvtests/tests/suites/acl/acl_deny_test.py b/dirsrvtests/tests/suites/acl/acl_deny_test.py

index 8ea6cd27b..96d08e9da 100644

--- a/dirsrvtests/tests/suites/acl/acl_deny_test.py

+++ b/dirsrvtests/tests/suites/acl/acl_deny_test.py

@@ -1,3 +1,11 @@

+# --- BEGIN COPYRIGHT BLOCK ---

+# Copyright (C) 2020 Red Hat, Inc.

+# All rights reserved.

+#

+# License: GPL (version 3 or any later version).

+# See LICENSE for details.

+# --- END COPYRIGHT BLOCK ---

+#

 import logging

 import pytest

 import os

@@ -5,7 +13,7 @@ import ldap

 import time

 from lib389._constants import *

 from lib389.topologies import topology_st as topo

-from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES

+from lib389.idm.user import UserAccount, TEST_USER_PROPERTIES

 from lib389.idm.domain import Domain

 pytestmark = pytest.mark.tier1

diff --git a/dirsrvtests/tests/suites/acl/acl_test.py b/dirsrvtests/tests/suites/acl/acl_test.py

index 5ca86523c..4c3214650 100644

--- a/dirsrvtests/tests/suites/acl/acl_test.py

+++ b/dirsrvtests/tests/suites/acl/acl_test.py

@@ -1,5 +1,5 @@

 # --- BEGIN COPYRIGHT BLOCK ---

-# Copyright (C) 2016 Red Hat, Inc.

+# Copyright (C) 2020 Red Hat, Inc.

 # All rights reserved.

 #

 # License: GPL (version 3 or any later version).

@@ -14,9 +14,8 @@ from lib389.schema import Schema

 from lib389.idm.domain import Domain

 from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES

 from lib389.idm.organizationalrole import OrganizationalRole, OrganizationalRoles

-

 from lib389.topologies import topology_m2

-from lib389._constants import SUFFIX, DN_SCHEMA, DN_DM, DEFAULT_SUFFIX, PASSWORD

+from lib389._constants import SUFFIX, DN_DM, DEFAULT_SUFFIX, PASSWORD

 pytestmark = pytest.mark.tier1

@@ -243,6 +242,14 @@ def moddn_setup(topology_m2):

                        'userpassword': BIND_PW})

     user.create(properties=user_props, basedn=SUFFIX)

+    # Add anonymous read aci

+    ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)

+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"

+    ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"

+    ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+    suffix = Domain(m1, SUFFIX)

+    suffix.add('aci', ACI_BODY)

+

     # DIT for staging

     m1.log.info("Add {}".format(STAGING_DN))

     o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})

@@ -411,7 +418,8 @@ def test_moddn_staging_prod(topology_m2, moddn_setup,

 def test_moddn_staging_prod_9(topology_m2, moddn_setup):

-    """

+    """Test with nsslapd-moddn-aci set to off so that MODDN requires an 'add' aci.

+

     :id: 222dd7e8-7ff1-40b8-ad26-6f8e42fbfcd9

     :setup: MMR with two masters,

             M1 - staging DIT

@@ -1061,10 +1069,12 @@ def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup):

 @pytest.fixture(scope="module")

 def rdn_write_setup(topology_m2):

     topology_m2.ms["master1"].log.info("\n\n######## Add entry tuser ########\n")

-    topology_m2.ms["master1"].add_s(Entry((SRC_ENTRY_DN, {

-        'objectclass': "top person".split(),

-        'sn': SRC_ENTRY_CN,

-        'cn': SRC_ENTRY_CN})))

+    user = UserAccount(topology_m2.ms["master1"], SRC_ENTRY_DN)

+    user_props = TEST_USER_PROPERTIES.copy()

+    user_props.update({'sn': SRC_ENTRY_CN,

+                       'cn': SRC_ENTRY_CN,

+                       'userpassword': BIND_PW})

+    user.create(properties=user_props, basedn=SUFFIX)

 def test_rdn_write_get_ger(topology_m2, rdn_write_setup):

diff --git a/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py b/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py

index 5700abfba..9c7226b42 100644

--- a/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py

+++ b/dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py

@@ -21,7 +21,7 @@ pytestmark = pytest.mark.tier1

 USER_PASSWORD = "some test password"

 NEW_USER_PASSWORD = "some new password"

-@pytest.mark.skipif(default_paths.perl_enabled or ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")

+@pytest.mark.skipif(ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")

 def test_acl_default_allow_self_write_nsuser(topology):

     """

     Testing nsusers can self write and self read. This it a sanity test

@@ -80,7 +80,7 @@ def test_acl_default_allow_self_write_nsuser(topology):

     self_ent.change_password(USER_PASSWORD, NEW_USER_PASSWORD)

-@pytest.mark.skipif(default_paths.perl_enabled or ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")

+@pytest.mark.skipif(ds_is_older('1.4.2.0'), reason="Default aci's in older versions do not support this functionality")

 def test_acl_default_allow_self_write_user(topology):

     """

     Testing users can self write and self read. This it a sanity test

diff --git a/dirsrvtests/tests/suites/acl/deladd_test.py b/dirsrvtests/tests/suites/acl/deladd_test.py

index 45a66be94..afdc772d1 100644

--- a/dirsrvtests/tests/suites/acl/deladd_test.py

+++ b/dirsrvtests/tests/suites/acl/deladd_test.py

@@ -86,8 +86,8 @@ def _add_user(request, topo):

 def test_allow_delete_access_to_groupdn(topo, _add_user, _aci_of_user):

-    """

-    Test allow delete access to groupdn

+    """Test allow delete access to groupdn

+

     :id: 7cf15992-68ad-11e8-85af-54e1ad30572c

     :setup: topo.standalone

     :steps:

@@ -124,8 +124,8 @@ def test_allow_delete_access_to_groupdn(topo, _add_user, _aci_of_user):

 def test_allow_add_access_to_anyone(topo, _add_user, _aci_of_user):

-    """

-    Test to  allow add access  to anyone

+    """Test to allow add access to anyone

+

     :id: 5ca31cc4-68e0-11e8-8666-8c16451d917b

     :setup: topo.standalone

     :steps:

@@ -160,8 +160,8 @@ def test_allow_add_access_to_anyone(topo, _add_user, _aci_of_user):

 def test_allow_delete_access_to_anyone(topo, _add_user, _aci_of_user):

-    """

-    Test to allow  delete access to anyone

+    """Test to allow delete access to anyone

+

     :id: f5447c7e-68e1-11e8-84c4-8c16451d917b

     :setup: server

     :steps:

@@ -191,8 +191,8 @@ def test_allow_delete_access_to_anyone(topo, _add_user, _aci_of_user):

 def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user):

-    """

-    Test to  Allow delete access to != userdn

+    """Test to Allow delete access to != userdn

+

     :id: 00637f6e-68e3-11e8-92a3-8c16451d917b

     :setup: server

     :steps:

@@ -224,8 +224,8 @@ def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user):

 def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user):

-    """

-    Test to Allow delete access to != groupdn

+    """Test to Allow delete access to != groupdn

+

     :id: f58fc8b0-68e5-11e8-9313-8c16451d917b

     :setup: server

     :steps:

@@ -263,8 +263,8 @@ def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user):

 def test_allow_add_access_to_parent(topo, _add_user, _aci_of_user):

-    """

-    Test to Allow add privilege to parent

+    """Test to Allow add privilege to parent

+

     :id: 9f099845-9dbc-412f-bdb9-19a5ea729694

     :setup: server

     :steps:

@@ -299,8 +299,8 @@ def test_allow_add_access_to_parent(topo, _add_user, _aci_of_user):

 def test_allow_delete_access_to_parent(topo, _add_user, _aci_of_user):

-    """

-    Test to  Allow delete access to parent

+    """Test to Allow delete access to parent

+

     :id: 2dd7f624-68e7-11e8-8591-8c16451d917b

     :setup: server

     :steps:

@@ -333,10 +333,10 @@ def test_allow_delete_access_to_parent(topo, _add_user, _aci_of_user):

     new_user.delete()

-def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user):

+def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user, request):

+

+    """Test to Allow delete access to dynamic group

-    """

-    Test to  Allow delete access to dynamic group

     :id: 14ffa452-68ed-11e8-a60d-8c16451d917b

     :setup: server

     :steps:

@@ -361,8 +361,8 @@ def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user):

     # Set ACI

     Domain(topo.standalone, DEFAULT_SUFFIX).\

-        add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr=*)'

-                   f'(version 3.0; acl "$tet_thistest"; '

+        add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})(targetattr="*")'

+                   f'(version 3.0; acl "{request.node.name}"; '

                    f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')

     # create connection with USER_WITH_ACI_DELADD

@@ -372,10 +372,10 @@ def test_allow_delete_access_to_dynamic_group(topo, _add_user, _aci_of_user):

     UserAccount(conn, USER_DELADD).delete()

-def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user):

+def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user, request):

+

+    """Test to Allow delete access to dynamic group

-    """

-    Test to  Allow delete access to dynamic group

     :id: 010a4f20-752a-4173-b763-f520c7a85b82

     :setup: server

     :steps:

@@ -401,7 +401,7 @@ def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user)

     # Set ACI

     Domain(topo.standalone, DEFAULT_SUFFIX).\

         add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'

-                   f'(targetattr=uid)(version 3.0; acl "$tet_thistest"; '

+                   f'(targetattr="uid")(version 3.0; acl "{request.node.name}"; '

                    f'allow (delete) (groupdn = "ldap:///{group.dn}"); )')

     # create connection with USER_WITH_ACI_DELADD

@@ -411,10 +411,10 @@ def test_allow_delete_access_to_dynamic_group_uid(topo, _add_user, _aci_of_user)

     UserAccount(conn, USER_DELADD).delete()

-def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user):

+def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user, request):

+

+    """Test to  Allow delete access to != dynamic group

-    """

-    Test to  Allow delete access to != dynamic group

     :id: 9ecb139d-bca8-428e-9044-fd89db5a3d14

     :setup: server

     :steps:

@@ -439,7 +439,7 @@ def test_allow_delete_access_not_to_dynamic_group(topo, _add_user, _aci_of_user)

     # Set ACI

     Domain(topo.standalone, DEFAULT_SUFFIX).\

         add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'

-                   f'(targetattr=*)(version 3.0; acl "$tet_thistest"; '

+                   f'(targetattr="*")(version 3.0; acl "{request.node.name}"; '

                    f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')

     # create connection with USER_WITH_ACI_DELADD

diff --git a/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py b/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py

index ca9456935..0cecde4b8 100644

--- a/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py

+++ b/dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py

@@ -1,5 +1,5 @@

 # --- BEGIN COPYRIGHT BLOCK ---

-# Copyright (C) 2016 Red Hat, Inc.

+# Copyright (C) 2020 Red Hat, Inc.

 # All rights reserved.

 #

 # License: GPL (version 3 or any later version).

@@ -31,15 +31,13 @@ def env_setup(topology_st):

     log.info("Add a container: %s" % CONTAINER_1)

     topology_st.standalone.add_s(Entry((CONTAINER_1,

-                                        {'objectclass': 'top',

-                                         'objectclass': 'organizationalunit',

+                                        {'objectclass': ['top','organizationalunit'],

                                          'ou': CONTAINER_1_OU,

                                          })))

     log.info("Add a container: %s" % CONTAINER_2)

     topology_st.standalone.add_s(Entry((CONTAINER_2,

-                                        {'objectclass': 'top',

-                                         'objectclass': 'organizationalunit',

+                                        {'objectclass': ['top', 'organizationalunit'],

                                          'ou': CONTAINER_2_OU,

                                          })))

@@ -75,13 +73,13 @@ def test_enhanced_aci_modrnd(topology_st, env_setup):

     :id: 492cf2a9-2efe-4e3b-955e-85eca61d66b9

     :setup: Standalone instance

     :steps:

-          1. Create two containers

-          2. Create a user within "ou=test_ou_1,dc=example,dc=com"

-          3. Add an aci with a rule "cn=test_user is allowed all" within these containers

-          4. Run MODRDN operation on the "cn=test_user" and set "newsuperior" to

-          the "ou=test_ou_2,dc=example,dc=com"

-          5. Check there is no user under container one (ou=test_ou_1,dc=example,dc=com)

-          6. Check there is a user under container two (ou=test_ou_2,dc=example,dc=com)

+         1. Create two containers

+         2. Create a user within "ou=test_ou_1,dc=example,dc=com"

+         3. Add an aci with a rule "cn=test_user is allowed all" within these containers

+         4. Run MODRDN operation on the "cn=test_user" and set "newsuperior" to

+            the "ou=test_ou_2,dc=example,dc=com"

+         5. Check there is no user under container one (ou=test_ou_1,dc=example,dc=com)

+         6. Check there is a user under container two (ou=test_ou_2,dc=example,dc=com)

     :expectedresults:

          1. Two containers should be created

diff --git a/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py b/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py

index b10fb1b65..7474f61f0 100644

--- a/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py

+++ b/dirsrvtests/tests/suites/acl/globalgroup_part2_test.py

@@ -1,5 +1,5 @@

 # --- BEGIN COPYRIGHT BLOCK ---

-# Copyright (C) 2019 Red Hat, Inc.

+# Copyright (C) 2020 Red Hat, Inc.

 # All rights reserved.

 #

 # License: GPL (version 3 or any later version).

@@ -70,6 +70,14 @@ def test_user(request, topo):

             'userPassword': PW_DM

         })

+    # Add anonymous access aci

+    ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)

+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"

+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"

+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)

+    suffix.add('aci', ANON_ACI)

+

     uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')

     for demo1 in ['c1', 'CHILD1_GLOBAL']:

         uas.create(properties={

@@ -112,7 +120,7 @@ def test_undefined_in_group_eval_five(topo, test_user, aci_of_user):

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPF_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)

     # This aci should NOT allow access

     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

@@ -140,7 +148,7 @@ def test_undefined_in_group_eval_six(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, ALLGROUPS_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)

     # test UNDEFINED in group

     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

@@ -168,7 +176,7 @@ def test_undefined_in_group_eval_seven(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPH_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)

     # test UNDEFINED in group

     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

@@ -196,7 +204,7 @@ def test_undefined_in_group_eval_eight(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{} || ldap:///{} || ldap:///{}" ;)'.format(GROUPH_GLOBAL, GROUPA_GLOBAL, ALLGROUPS_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)

     # test UNDEFINED in group

     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

@@ -224,7 +232,7 @@ def test_undefined_in_group_eval_nine(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{} || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPA_GLOBAL, GROUPH_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER3_GLOBAL).bind(PW_DM)

     # test UNDEFINED in group

     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

@@ -252,7 +260,7 @@ def test_undefined_in_group_eval_ten(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)')

     user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)

     user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])

     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)

@@ -281,7 +289,7 @@ def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)')

     user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)

     user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])

     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)

@@ -312,7 +320,7 @@ def test_undefined_in_group_eval_twelve(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')

     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)

     user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])

     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)

@@ -341,7 +349,7 @@ def test_undefined_in_group_eval_fourteen(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')

     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)

     user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])

     conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)

@@ -372,7 +380,7 @@ def test_undefined_in_group_eval_fifteen(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#USERDN";)')

     UserAccount(topo.standalone, NESTEDGROUP_OU_GLOBAL).add("description", DEEPUSER_GLOBAL)

     # Here do the same tests for userattr  with the parent keyword.

     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)

@@ -399,7 +407,7 @@ def test_undefined_in_group_eval_sixteen(topo, test_user, aci_of_user):

             5. Operation should  succeed

     """

     domain = Domain(topo.standalone, DEFAULT_SUFFIX)

-    domain.add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')

+    domain.add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not ( userattr = "parent[0,1].description#USERDN");)')

     domain.add("description", DEEPUSER_GLOBAL)

     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)

     # Test with parent keyword with not key

@@ -427,7 +435,7 @@ def test_undefined_in_group_eval_seventeen(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)')

     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)

     # Test with the parent keyord

     user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])

@@ -455,7 +463,7 @@ def test_undefined_in_group_eval_eighteen(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) not (userattr = "parent[0,1].description#GROUPDN" );)')

     user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)

     # Test with parent keyword with not key

     user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])

diff --git a/dirsrvtests/tests/suites/acl/globalgroup_test.py b/dirsrvtests/tests/suites/acl/globalgroup_test.py

index 58c4392e5..dc51a8170 100644

--- a/dirsrvtests/tests/suites/acl/globalgroup_test.py

+++ b/dirsrvtests/tests/suites/acl/globalgroup_test.py

@@ -1,5 +1,5 @@

 # --- BEGIN COPYRIGHT BLOCK ---

-# Copyright (C) 2019 Red Hat, Inc.

+# Copyright (C) 2020 Red Hat, Inc.

 # All rights reserved.

 #

 # License: GPL (version 3 or any later version).

@@ -72,6 +72,14 @@ def test_user(request, topo):

             'userPassword': PW_DM

         })

+    # Add anonymous access aci

+    ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (DEFAULT_SUFFIX)

+    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"

+    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"

+    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)

+    suffix.add('aci', ANON_ACI)

+

     uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')

     for demo1 in ['DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL', 'DEEPUSER1_GLOBAL',

                   'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild']:

@@ -361,7 +369,7 @@ def test_undefined_in_group_eval_two(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)

     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

     # This aci should  allow access

@@ -389,7 +397,7 @@ def test_undefined_in_group_eval_three(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(GROUPG_GLOBAL, ALLGROUPS_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)

     user = Domain(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

     # test UNDEFINED in group

@@ -417,7 +425,7 @@ def test_undefined_in_group_eval_four(topo, test_user, aci_of_user):

             4. Operation should  succeed

             5. Operation should  succeed

     """

-    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr=*)(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))

+    Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn != "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))

     conn = UserAccount(topo.standalone, DEEPUSER1_GLOBAL).bind(PW_DM)

     # test UNDEFINED in group

     user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)

diff --git a/dirsrvtests/tests/suites/acl/keywords_part2_test.py b/dirsrvtests/tests/suites/acl/keywords_part2_test.py

index c2aa9ac53..642e65bad 100644

--- a/dirsrvtests/tests/suites/acl/keywords_part2_test.py

+++ b/dirsrvtests/tests/suites/acl/keywords_part2_test.py

@@ -1,5 +1,5 @@

 # --- BEGIN COPYRIGHT BLOCK ---

-# Copyright (C) 2019 Red Hat, Inc.

+# Copyright (C) 2020 Red Hat, Inc.

 # All rights reserved.

 #

 # License: GPL (version 3 or any later version).

@@ -68,7 +68,7 @@ def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):

     # Add ACI

     domain = Domain(topo.standalone, DEFAULT_SUFFIX)

-    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '

+    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; '

                       f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')

     # create a new connection for the test

@@ -76,12 +76,13 @@ def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):

     # Perform Operation

     org = OrganizationalUnit(conn, IP_OU_KEY)

     org.replace("seeAlso", "cn=1")

+

     # remove the aci

-    domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci '

+    domain.ensure_removed("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci '

                                  f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '

                                  f'ip = "{ip_ip}" ;)')

     # Now add aci with new ip

-    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)(version 3.0; aci "IP aci"; '

+    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; '

                       f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)')

     # After changing  the ip user cant access data

@@ -106,10 +107,11 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):

     """

     # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.

     ip_ip = topo.standalone.ds_access_log.match('.* connection from ')[0].split()[-1]

+

     # Add ACI

     domain = Domain(topo.standalone, DEFAULT_SUFFIX)

     domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'

-                      f'(targetattr=*)(version 3.0; aci "IP aci"; '

+                      f'(targetattr="*")(version 3.0; aci "IP aci"; '

                       f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '

                       f'and ip != "{ip_ip}" ;)')

@@ -122,7 +124,7 @@ def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):

     # Remove the ACI

     domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])

     # Add new ACI

-    domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'

+    domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")'

                       f'(version 3.0; aci "IP aci"; allow(all) '

                       f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')

@@ -148,7 +150,7 @@ def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):

     # Add ACI

     Domain(topo.standalone,

            DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'

-                                      f'(targetattr=*)(version 3.0; aci "IP aci"; allow(all) '

+                                      f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '

                                       f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')

     # Create a new connection for this test.

@@ -177,7 +179,7 @@ def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):

     # Add ACI

     Domain(topo.standalone,

            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'

-                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '

+                                      f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '

                                       f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '

                                       f'(timeofday >= "0000" and timeofday <= "2359") ;)')

@@ -206,7 +208,7 @@ def test_user_can_access_the_data_only_in_the_morning(topo, add_user, aci_of_use

     # Add ACI

     Domain(topo.standalone,

            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'

-                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '

+                                      f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '

                                       f'allow(all) userdn = "ldap:///{DAYWORKER_KEY}" '

                                       f'and timeofday < "1200" ;)')

@@ -239,7 +241,7 @@ def test_user_can_access_the_data_only_in_the_afternoon(topo, add_user, aci_of_u

     # Add ACI

     Domain(topo.standalone,

            DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'

-                                      f'(targetattr=*)(version 3.0; aci "Timeofday aci"; '

+                                      f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '

                                       f'allow(all) userdn = "ldap:///{NIGHTWORKER_KEY}" '

                                       f'and timeofday > \'1200\' ;)')