keystone-moon/keystone/tests/unit/backend/core_ldap.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import ldap

from oslo_config import cfg

from keystone.common import cache
from keystone.common import ldap as common_ldap
from keystone.common.ldap import core as common_ldap_core
from keystone.tests import unit as tests
from keystone.tests.unit import default_fixtures
from keystone.tests.unit import fakeldap
from keystone.tests.unit.ksfixtures import database


CONF = cfg.CONF


def create_group_container(identity_api):
        # Create the groups base entry (ou=Groups,cn=example,cn=com)
        group_api = identity_api.driver.group
        conn = group_api.get_connection()
        dn = 'ou=Groups,cn=example,cn=com'
        conn.add_s(dn, [('objectclass', ['organizationalUnit']),
                        ('ou', ['Groups'])])


class BaseBackendLdapCommon(object):
    """Mixin class to set up generic LDAP backends."""

    def setUp(self):
        super(BaseBackendLdapCommon, self).setUp()

        common_ldap.register_handler('fake://', fakeldap.FakeLdap)
        self.load_backends()
        self.load_fixtures(default_fixtures)

        self.addCleanup(common_ldap_core._HANDLERS.clear)
        self.addCleanup(self.clear_database)

    def _get_domain_fixture(self):
        """Domains in LDAP are read-only, so just return the static one."""
        return self.resource_api.get_domain(CONF.identity.default_domain_id)

    def clear_database(self):
        for shelf in fakeldap.FakeShelves:
            fakeldap.FakeShelves[shelf].clear()

    def get_config(self, domain_id):
        # Only one conf structure unless we are using separate domain backends
        return CONF

    def config_overrides(self):
        super(BaseBackendLdapCommon, self).config_overrides()
        self.config_fixture.config(group='identity', driver='ldap')

    def config_files(self):
        config_files = super(BaseBackendLdapCommon, self).config_files()
        config_files.append(tests.dirs.tests_conf('backend_ldap.conf'))
        return config_files

    def get_user_enabled_vals(self, user):
            user_dn = (
                self.identity_api.driver.user._id_to_dn_string(user['id']))
            enabled_attr_name = CONF.ldap.user_enabled_attribute

            ldap_ = self.identity_api.driver.user.get_connection()
            res = ldap_.search_s(user_dn,
                                 ldap.SCOPE_BASE,
                                 u'(sn=%s)' % user['name'])
            if enabled_attr_name in res[0][1]:
                return res[0][1][enabled_attr_name]
            else:
                return None


class BaseBackendLdap(object):
    """Mixin class to set up an all-LDAP configuration."""
    def setUp(self):
        # NOTE(dstanek): The database must be setup prior to calling the
        # parent's setUp. The parent's setUp uses services (like
        # credentials) that require a database.
        self.useFixture(database.Database())
        super(BaseBackendLdap, self).setUp()

    def load_fixtures(self, fixtures):
        # Override super impl since need to create group container.
        create_group_container(self.identity_api)
        super(BaseBackendLdap, self).load_fixtures(fixtures)


class BaseBackendLdapIdentitySqlEverythingElse(tests.SQLDriverOverrides):
    """Mixin base for Identity LDAP, everything else SQL backend tests."""

    def config_files(self):
        config_files = super(BaseBackendLdapIdentitySqlEverythingElse,
                             self).config_files()
        config_files.append(tests.dirs.tests_conf('backend_ldap_sql.conf'))
        return config_files

    def setUp(self):
        sqldb = self.useFixture(database.Database())
        super(BaseBackendLdapIdentitySqlEverythingElse, self).setUp()
        self.clear_database()
        self.load_backends()
        cache.configure_cache_region(cache.REGION)

        sqldb.recreate()
        self.load_fixtures(default_fixtures)
        # defaulted by the data load
        self.user_foo['enabled'] = True

    def config_overrides(self):
        super(BaseBackendLdapIdentitySqlEverythingElse,
              self).config_overrides()
        self.config_fixture.config(group='identity', driver='ldap')
        self.config_fixture.config(group='resource', driver='sql')
        self.config_fixture.config(group='assignment', driver='sql')


class BaseBackendLdapIdentitySqlEverythingElseWithMapping(object):
    """Mixin base class to test mapping of default LDAP backend.

    The default configuration is not to enable mapping when using a single
    backend LDAP driver.  However, a cloud provider might want to enable
    the mapping, hence hiding the LDAP IDs from any clients of keystone.
    Setting backward_compatible_ids to False will enable this mapping.

    """
    def config_overrides(self):
        super(BaseBackendLdapIdentitySqlEverythingElseWithMapping,
              self).config_overrides()
        self.config_fixture.config(group='identity_mapping',
                                   backward_compatible_ids=False)