add test for idassert

2025-02-17 14:00:30 +08:00 · 2004-06-19 10:05:07 +00:00 · 2004-06-19 10:05:07 +00:00 · 49d64acdf6
commit 49d64acdf6
parent 45523220c9
7 changed files with 395 additions and 1 deletions
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@ -0,0 +1,117 @@
+# master slapd config -- for testing
+# $OpenLDAP: pkg/ldap/tests/data/slapd-pw.conf,v 1.19.2.4 2003/12/15 22:05:29 
+ kurt Exp $
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2003 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+#ucdata-path	./ucdata
+include ./schema/core.schema
+include ./schema/cosine.schema
+include ./schema/inetorgperson.schema
+include ./schema/openldap.schema
+include ./schema/nis.schema
+pidfile     ./testrun/slapd.1.pid
+argsfile    ./testrun/slapd.1.args
+
+# password-hash	{md5}
+
+#mod#modulepath	../servers/slapd/back-@BACKEND@/
+#mod#moduleload	back_@BACKEND@.la
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+
+authz-policy	both
+authz-regexp	"^uid=admin/([^,]+),.*" "ldap:///ou=Admin,dc=example,dc=com??sub?cn=$1"
+authz-regexp	"^uid=it/([^,]+),.*" "ldap:///ou=People,dc=example,dc=it??sub?uid=$1"
+authz-regexp	"^uid=(us/)*([^,]+),.*" "ldap:///ou=People,dc=example,dc=com??sub?uid=$2"
+
+#
+# normal installations should protect root dse,
+# cn=monitor, cn=schema, and cn=config
+#
+
+access to attr=userpassword
+	by self =wx
+	by anonymous =x
+
+access to *
+	by users read
+	by * search
+
+database	@BACKEND@
+#ldbm#cachesize	0
+suffix		"dc=example,dc=com"
+directory	./testrun/db.1.a
+rootdn		"cn=Manager,dc=example,dc=com"
+rootpw		secret
+index		objectClass	eq
+index		cn,sn,uid	pres,eq,sub
+
+access to dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com"
+		attr=authzTo
+	by dn.exact="cn=Proxy,ou=Admin,dc=example,dc=com" =wx
+	by * =x
+
+database	@BACKEND@
+#ldbm#cachesize	0
+suffix		"dc=example,dc=it"
+directory	./testrun/db.2.a
+rootdn		"cn=Manager,dc=example,dc=it"
+rootpw		secret
+index		objectClass	eq
+index		cn,sn,uid	pres,eq,sub
+
+database	ldap
+suffix		"o=Example,c=US"
+suffixmassage	"o=Example,c=US" "dc=example,dc=com"
+uri		"ldap://:9011/"
+
+#sasl#idassert-method "sasl" "authcDN=cn=Proxy US,ou=Admin,dc=example,dc=com" "authcID=admin/proxy US" "cred=proxy" "mech=DIGEST-MD5"
+#nosasl#idassert-method "simple"
+#nosasl#idassert-authcDN	"cn=Proxy US,ou=Admin,dc=example,dc=com"
+#nosasl#idassert-passwd		proxy
+idassert-mode	self
+
+# authorizes database
+idassert-authz	"dn.subtree:dc=example,dc=it"
+
+database	ldap
+suffix		"o=Esempio,c=IT"
+suffixmassage	"o=Esempio,c=IT" "dc=example,dc=com"
+uri		"ldap://:9011/"
+
+acl-authcDN	"cn=Proxy IT,ou=Admin,dc=example,dc=com"
+acl-passwd	proxy
+
+idassert-method "simple"
+idassert-authcDN	"cn=Proxy IT,ou=Admin,dc=example,dc=com"
+idassert-passwd		proxy
+idassert-mode	"dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
+
+# authorizes database
+idassert-authz	"dn.subtree:dc=example,dc=com"
+# authorizes anonymous
+idassert-authz	"dn.exact:"
+
+access to attrs=entry,cn,sn,mail
+	by users read
+
+access to *
+	by dn.exact="cn=Proxy IT,ou=Admin,o=Esempio,c=IT" read
+	by group.exact="cn=Authorizable,ou=Groups,o=Esempio,c=IT" read
+	by dn.exact="cn=Sandbox,ou=Admin,dc=example,dc=com" search
+	by * none
+
+
--- a/tests/data/test-idassert1.ldif
+++ b/tests/data/test-idassert1.ldif
@ -0,0 +1,66 @@
+dn: dc=example,dc=com
+objectClass: organization
+objectClass: dcObject
+o: Example, Inc.
+dc: example
+
+dn: ou=People,dc=example,dc=com
+objectClass: organizationalUnit
+ou: People
+
+dn: uid=bjorn,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Bjorn Jensen
+sn: Jensen
+uid: bjorn
+userPassword:: Ympvcm4=
+mail: bjorn@example.com
+description: ***
+authzFrom: dn.exact:uid=jaj,o=Example,c=US
+
+dn: uid=bjensen,ou=People,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Barbara Jensen
+sn: Jensen
+uid: bjensen
+userPassword:: YmplbnNlbg==
+mail: bjensen@example.com
+description: ***
+
+dn: ou=Groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=All,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: All
+member: uid=bjorn,ou=People,dc=example,dc=com
+member: uid=bjensen,ou=People,dc=example,dc=com
+
+dn: cn=Authorizable,ou=Groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: Authorizable
+member: uid=bjorn,ou=People,dc=example,dc=com
+
+dn: ou=Admin,dc=example,dc=com
+objectClass: organizationalUnit
+ou: Admin
+
+dn: cn=Proxy US,ou=Admin,dc=example,dc=com
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: Proxy US
+userPassword:: cHJveHk=
+authzTo: dn.subtree:ou=People,dc=example,dc=it
+
+dn: cn=Proxy IT,ou=Admin,dc=example,dc=com
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: Proxy IT
+userPassword:: cHJveHk=
+authzTo: dn.exact:cn=Sandbox,ou=Admin,dc=example,dc=com
+authzTo: dn.exact:
+
+dn: cn=Sandbox,ou=Admin,dc=example,dc=com
+objectClass: applicationProcess
+cn: Sandbox
--- a/tests/data/test-idassert2.ldif
+++ b/tests/data/test-idassert2.ldif
@ -0,0 +1,27 @@
+dn: dc=example,dc=it
+objectClass: organization
+objectClass: dcObject
+o: Example
+o: Esempio S.p.A.
+dc: example
+
+dn: ou=People,dc=example,dc=it
+objectClass: organizationalUnit
+ou: People
+
+dn: uid=dots,ou=People,dc=example,dc=it
+objectClass: inetOrgPerson
+cn: Dorothy Stevens
+sn: Stevens
+uid: dots
+userPassword:: ZG90cw==
+mail: dots@example.it
+
+dn: uid=jaj,ou=People,dc=example,dc=it
+objectClass: inetOrgPerson
+cn: James A Jones 1
+sn: Jones
+uid: jaj
+userPassword:: amFq
+mail: jaj@example.it
+
--- a/tests/run.in
+++ b/tests/run.in
@ -31,9 +31,10 @@ AC_ppolicy=ppolicy@BUILD_PPOLICY@
 AC_refint=refint@BUILD_REFINT@
 AC_unique=unique@BUILD_UNIQUE@
 AC_MONITOR=@BUILD_MONITOR@
+AC_WITH_SASL=@WITH_SASL@
 AC_WITH_TLS=@WITH_TLS@

-export AC_MONITOR AC_WITH_TLS AC_ldap AC_pcache AC_ppolicy
+export AC_MONITOR AC_WITH_SASL AC_WITH_TLS AC_ldap AC_pcache AC_ppolicy
 export AC_refint AC_unique

 if test ! -x ../servers/slapd/slapd ; then
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@ -22,6 +22,12 @@ if [ x"$MONITORDB" = x"yes" -o x"$MONITORDB" = xmod ] ; then
 else
 	MON=nomonitor
 fi
+USE_SASL=${SLAPD_USE_SASL+yes}
+if [ x"$WITH_SASL" = x"yes" -a x"$USE_SASL" = x"yes" ] ; then
+	SASL="sasl"
+else
+	SASL="nosasl"
+fi
 sed -e "s/@BACKEND@/${BACKEND}/"			\
 	-e "s/^#${BACKEND}#//"				\
 	-e "s/^#${BACKENDTYPE}#//"			\
@ -32,5 +38,6 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
 	-e "s/^#${AC_unique}#//"			\
 	-e "s/^#${MON}#//"				\
 	-e "s/^#${MONMOD}#//"				\
+	-e "s/^#${SASL}#//"				\
 	-e "s/@CACHETTL@/${CACHETTL}/"			\
 	-e "s/@ENTRY_LIMIT@/${CACHE_ENTRY_LIMIT}/"   
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@ -14,10 +14,12 @@
 ## <http://www.OpenLDAP.org/license.html>.

 MONITORDB=${AC_MONITOR-no}
+BACKLDAP=${AC_ldap-ldapno}
 PROXYCACHE=${AC_pcache-pcacheno}
 PPOLICY=${AC_ppolicy-ppolicyno}
 REFINT=${AC_refint-refintno}
 UNIQUE=${AC_unique-uniqueno}
+WITH_SASL=${AC_WITH_SASL-no}
 WITHTLS=${AC_WITHTLS-yes}

 DATADIR=./testdata
@ -60,6 +62,7 @@ UNIQUECONF=$DATADIR/slapd-unique.conf
 LIMITSCONF=$DATADIR/slapd-limits.conf
 DNCONF=$DATADIR/slapd-dn.conf
 EMPTYDNCONF=$DATADIR/slapd-emptydn.conf
+IDASSERTCONF=$DATADIR/slapd-idassert.conf

 CONF1=$TESTDIR/slapd.1.conf
 CONF2=$TESTDIR/slapd.2.conf
@ -132,6 +135,8 @@ LDIFLIMITS=$DATADIR/test-limits.ldif
 LDIFDN=$DATADIR/test-dn.ldif
 LDIFEMPTYDN1=$DATADIR/test-emptydn1.ldif
 LDIFEMPTYDN2=$DATADIR/test-emptydn2.ldif
+LDIFIDASSERT1=$DATADIR/test-idassert1.ldif
+LDIFIDASSERT2=$DATADIR/test-idassert2.ldif
 MONITOR=""
 REFDN="c=US"
 BASEDN="dc=example,dc=com"
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@ -0,0 +1,171 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2004 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+if test $BACKLDAP = "ldapno" ; then 
+	echo "LDAP backend not available, test skipped"
+	exit 0
+fi 
+
+if test $WITH_SASL = "yes" ; then
+	echo "Using SASL authc/authz..."
+else
+	echo "SASL not available; using proxyAuthz with simple authc..."
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2
+
+echo "Running slapadd to build slapd database..."
+. $CONFFILTER $BACKEND $MONITORDB < $IDASSERTCONF > $ADDCONF
+$SLAPADD -f $ADDCONF -l $LDIFIDASSERT1 -n 1
+RC=$?
+if test $RC != 0 ; then
+	echo "slapadd -n 1 failed ($RC)!"
+	exit $RC
+fi
+$SLAPADD -f $ADDCONF -l $LDIFIDASSERT2 -n 2
+RC=$?
+if test $RC != 0 ; then
+	echo "slapadd -n 2 failed ($RC)!"
+	exit $RC
+fi
+
+echo "Starting slapd on TCP/IP port $PORT..."
+. $CONFFILTER $BACKEND $MONITORDB < $IDASSERTCONF > $CONF1
+$SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+    echo PID $PID
+    read foo
+fi
+KILLPIDS="$PID"
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+
+echo "Testing ldapwhoami as proxy US..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="u:it/jaj"
+echo "Testing ldapwhoami as proxy US, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="u:bjorn"
+echo "Testing ldapwhoami as proxy US, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 1 ; then
+	echo "ldapwhoami should have failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="u:bjensen"
+echo "Testing ldapwhoami as proxy US, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy US,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 1 ; then
+	echo "ldapwhoami should have failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Testing ldapwhoami as proxy IT..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="u:it/jaj"
+echo "Testing ldapwhoami as proxy IT, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 1 ; then
+	echo "ldapwhoami should have failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="u:bjorn"
+echo "Testing ldapwhoami as proxy IT, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 1 ; then
+	echo "ldapwhoami should have failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="dn:cn=Sandbox,ou=Admin,dc=example,dc=com"
+echo "Testing ldapwhoami as proxy IT, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "cn=proxy IT,ou=Admin,dc=example,dc=com" -w proxy -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="dn:uid=bjorn,ou=People,o=Example,c=US"
+echo "Testing ldapwhoami as bjorn, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+AUTHZID="dn:uid=bjorn,ou=People,o=Esempio,c=IT"
+echo "Testing ldapwhoami as bjorn, $AUTHZID..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "uid=bjorn,ou=people,dc=example,dc=com" -w bjorn -e\!"authzid=$AUTHZID"
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapwhoami failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+echo ">>>>> Test succeeded"
+exit 0
+