From e2810e7875fe1376b4f96d02524f437d743910d2 Mon Sep 17 00:00:00 2001 From: Matúš Honěk Date: Oct 05 2018 08:46:36 +0000 Subject: Ticket 49943 - rfc3673_all_oper_attrs_test is not strict enough Bug Description: Test suites/filter/rfc3673_all_oper_attrs_test.py::test_search_basic does not reach constraints extensively. The asserts are too benevolent. The commit 6ef4eb5 changed 'normal user' ACIs, however these changes introduced new attr 'modifiersName' which was supposed to be missing when searching. In the first case, assert checks only for 'objectClass' and pseudo-randomly one more attr to be present which is not sufficient. In the second case, recently changed assert introduced weaker check than the one present before. Fix Description: Bring back previous ACI to explicitly test the difference when binding as normal user and the DM. In case of add_attr == '*', test for all expected_attrs to be in found_attrs. In the other case bring back the strict comparison as there used to be before. https://pagure.io/389-ds-base/issue/49943 Author: mhonek Review by: firstyear, spichugi (Thanks!) --- diff --git a/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py b/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py index dd2193d..67bbda4 100644 --- a/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py +++ b/dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py @@ -84,7 +84,10 @@ def user_aci(topology_st): under whole suffix """ - ACI_BODY = ensure_bytes('(targetattr= "objectClass || cn || sn || mail || uid || uidNumber || gidNumber || homeDirectory || creatorsName || createTimestamp || modifyTimestamp || nsUniqueId || parentid || entryid || entrydn || ou || numSubordinates")(version 3.0; acl "Allow read for user"; allow (read,search,compare) userdn = "ldap:///%s";)' % TEST_USER_DN) + ACI_TARGET = '(targetattr= "modifiersName")' + ACI_RULE = ('(version 3.0; acl "Deny modifiersName for user"; deny (read)' + ' userdn = "ldap:///%s";)' % TEST_USER_DN) + ACI_BODY = ensure_bytes(ACI_TARGET + ACI_RULE) topology_st.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_ADD, 'aci', ACI_BODY)]) @@ -142,24 +145,20 @@ def test_search_basic(topology_st, create_user, user_aci, add_attr, topology_st.standalone.simple_bind_s(DN_DM, ensure_bytes(PASSWORD)) search_filter = ['+'] + expected_attrs = oper_attr_list if add_attr: search_filter.append(add_attr) - expected_attrs = sorted(oper_attr_list + ['objectClass']) - else: - expected_attrs = sorted(oper_attr_list) + expected_attrs += ['objectClass'] entries = topology_st.standalone.search_s(search_suffix, ldap.SCOPE_BASE, '(objectclass=*)', search_filter) - found_attrs = sorted(entries[0].data.keys()) + found_attrs = entries[0].data.keys() if add_attr == '*': - # Check that found attrs contain both operational - # and non-operational attributes - assert all(attr in found_attrs - for attr in ['objectClass', expected_attrs[0]]) + assert set(expected_attrs) - set(found_attrs) == set() else: - assert set(expected_attrs).issubset(set(found_attrs)) + assert set(expected_attrs) == set(found_attrs) if __name__ == '__main__':