diff options
| author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-09-26 02:36:45 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-09-26 02:36:45 +0200 |
| commit | 6689ea9829fd2957ff1c1589b0731eedb5fc8817 (patch) | |
| tree | a882337de4b2024f72c94b45c3c561b08fc30bb4 /ldap/test-user-acl.sh | |
| parent | 4239920246a5123644fd7a778b467aa371f990e6 (diff) | |
Updated the LDAP schema to suit the list creation script, and the acl to suit the SASL authentication.
Diffstat (limited to 'ldap/test-user-acl.sh')
| -rwxr-xr-x | ldap/test-user-acl.sh | 212 |
1 files changed, 193 insertions, 19 deletions
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index b3fd930..12f3d14 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -11,7 +11,9 @@ SLAPACL=/usr/sbin/slapacl -SUFFIX="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +SUFFIXV="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +SUFFIXS="ou=services,o=mailHosting,dc=fripost,dc=dev" +SUFFIX="${SUFFIXV}" RES=$(tempfile) || exit 1 @@ -19,7 +21,7 @@ checkACL () { CMD=${SLAPACL} BIND="${1},${SUFFIX}" if [ -n "${1}" ]; then CMD="${CMD} -D ${BIND}"; fi - if [ -n "${2}" ]; then BASE="${2},${SUFFIX}"; else BASE="${SUFFIX}"; fi + if [ -n "${2}" ]; then BASE="${2},${SUFFIXV}"; else BASE="${SUFFIXV}"; fi shift; shift ${CMD} -b "${BASE}" "$@" 2>&1 | grep -vixF -e "authcDN: \"${BIND}\"" @@ -74,6 +76,10 @@ ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/') LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/') +LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \ + grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/') + +OPERATTRS="structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp" ######################################################################## @@ -150,7 +156,7 @@ usersB children | isOK '=z$' children msg "Have =0 access to the operational attributes" -usersB structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' entryUUID +usersB ${OPERATTRS} | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? @@ -224,7 +230,7 @@ usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED [ $? -eq 0 ] || exit $? msg "Have =0 access to the operational attributes" -usersD structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' entryUUID +usersD ${OPERATTRS} | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? @@ -478,7 +484,7 @@ usersU entry/read entry/search entry/disclose fvu/read \ [ $? -eq 0 ] || exit $? msg "Have =0 access to their \"children\" and operational attributes" -usersU children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children +usersU children ${OPERATTRS} | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Have =s access to \"objectClass\"" @@ -532,7 +538,7 @@ usersP entry | isOK '=arsd$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to their users' \"children\" and operational attributes (if Postmaster)" -usersP children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children +usersP children ${OPERATTRS} | isOK '=0$' children [ $? -eq 0 ] || exit $? @@ -578,7 +584,7 @@ usersA fripostOwner/search entry/search | isOK 'ALLOWED$' entry msg "Have =0 access to the \"children\" and operational attributes" -usersA children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children +usersA children ${OPERATTRS} | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Have =s access to \"objectClass\"" @@ -701,7 +707,7 @@ echo "Authenticated users, access to list entries" # * entry: # =s for all # +a if canCreateList, domain owner or domain postmaster -# +zrd if list owner, domain owner or domain postmaster +# +rd if list owner, domain owner or domain postmaster # * children: # =0 for all # * fvl: @@ -710,7 +716,7 @@ echo "Authenticated users, access to list entries" # =rscd if list owner, domain owner or domain postmaster # * fripostIsStatusActive: # =wrscd if list owner, domain owner or domain postmaster -# * fripostListCommand: +# * fripostIsStatusPending: # =rscd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all @@ -734,40 +740,48 @@ usersL fripostOwner/search entry/search | isOK 'ALLOWED$' entry msg "Have =0 access the \"children\" and operational attributes" -usersL children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children +usersL children ${OPERATTRS} | isOK '=0$' children [ $? -eq 0 ] || exit $? -msg "Cannot change transport-related attributes" +msg "Cannot change transport" for U in ${USERS}; do for L in ${LISTS}; do - checkACL "${U}" "${L}" fripostListCommand/add fripostListCommand/delete \ - fripostListManager/write + checkACL "${U}" "${L}" fripostListManager/write done done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? -ATTRS="entry/read entry/disclose entry/delete +msg "Cannot edit pending status; Cannot delete entry" +for U in ${USERS}; do + for L in ${LISTS}; do + checkACL "${U}" "${L}" fripostIsStatusPending/write entry/delete + done +done | isOK 'DENIED$' fripostIsStatusPending +[ $? -eq 0 ] || exit $? + + +ATTRS="entry/read entry/disclose fvl/write fvl/read fvl/search fvl/compare fvl/disclose fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose - fripostListCommand/read fripostListCommand/search fripostListCommand/compare fripostListCommand/disclose + fripostIsStatusPending/read fripostIsStatusPending/search fripostIsStatusPending/compare fripostIsStatusPending/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/compare description/disclose" ATTRS2="fripostOwner/add fripostOwner/delete" -msg "Can edit/delete list (if list Owner)" +msg "Can edit list (if list Owner)" for U in ${USERS}; do for L in ${LISTS}; do search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" ${ATTRS} done -done | isOK 'ALLOWED$' entry delete +done | isOK 'ALLOWED$' entry read [ $? -eq 0 ] || exit $? -msg "Can edit/create/delete list (if domain Owner)" +msg "Can edit/create list (if domain Owner)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do for L in ${LISTS}; do @@ -779,7 +793,7 @@ done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? -msg "Can edit/create/delete list (if domain Postmaster)" +msg "Can edit/create list (if domain Postmaster)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do for L in ${LISTS}; do @@ -855,9 +869,169 @@ for U in ${USERS}; do done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? +msg "Have =0 access to the list command entries" +for U in ${USERS}; do + for LC in ${LISTSC}; do + checkACL "${U}" "${LC}" + done +done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry +[ $? -eq 0 ] || exit $? ########################################################################### +SUFFIX="${SUFFIXS}" + +echo +echo "Service SMTP" + +msg "Can read and search the domain attributes it needs" +for D in ${DOMAINS}; do + checkACL "cn=SMTP" "${D}" entry objectClass fvd fripostIsStatusActive fripostOptionalMaildrop +done | isOK '=rsd$' entry + +msg "Have =0 access on other domain attributes" +for D in ${DOMAINS}; do + checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description +done | isOK 'none(=0)$' children + +msg "Can read and search the mailbox attributes it needs" +for U in ${USERS}; do + checkACL "cn=SMTP" "${U}" entry objectClass fvu fripostIsStatusActive fripostOptionalMaildrop +done | isOK '=rsd$' entry + +msg "Have =0 access on other mailbox attributes" +for U in ${USERS}; do + checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostMailboxQuota description +done | isOK 'none(=0)$' children + +msg "Can read and search the alias attributes it needs" +for A in ${ALIASES}; do + checkACL "cn=SMTP" "${A}" entry objectClass fva fripostMaildrop fripostIsStatusActive +done | isOK '=rsd$' entry + +msg "Have =0 access on other alias attributes" +for A in ${ALIASES}; do + checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description +done | isOK 'none(=0)$' children + +msg "Can read and search the list attributes it needs" +for L in ${LISTS}; do + checkACL "cn=SMTP" "${L}" entry objectClass fvl fripostIsStatusActive fripostLocalAlias fripostIsStatusPending +done | isOK '=rsd$' entry + +msg "Have =0 access on other list attributes" +for L in ${LISTS}; do + checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description +done | isOK 'none(=0)$' children + +msg "Can read and search the list command attributes it needs" +for LC in ${LISTSC}; do + checkACL "cn=SMTP" "${LC}" entry objectClass fvlc fripostIsStatusActive fripostLocalAlias +done | isOK '=rsd$' entry + +msg "Have =0 access on other list command attributes" +for LC in ${LISTSC}; do + checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} +done | isOK 'none(=0)$' children + + +########################################################################### + +echo +echo "Service ListCreator" + +msg "Have =0 access on domain attributes" +for D in ${DOMAINS}; do + checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description +done | isOK '=0$' entry + +msg "Have =0 access on mailbox attributes" +for U in ${USERS}; do + checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description +done | isOK '=0$' entry + +msg "Have =0 access on alias attributes" +for A in ${ALIASES}; do + checkACL "cn=ListCreator" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description +done | isOK '=0$' entry + +msg "Have =zrd access on lists' pending status" +for L in ${LISTS}; do + checkACL "cn=ListCreator" "${L}" fripostIsStatusPending +done | isOK '=zrd$' + +msg "Have =rsd access on lists' entry attribute" +for L in ${LISTS}; do + checkACL "cn=ListCreator" "${L}" entry +done | isOK '=rsd$' + +msg "Have =a access on lists' children attribute" +for L in ${LISTS}; do + checkACL "cn=ListCreator" "${L}" children +done | isOK '=a$' + +msg "Have =0 access on other list attributes" +for L in ${LISTS}; do + checkACL "cn=ListCreator" "${L}" ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description +done | isOK '=0$' fvl + +msg "Have =a access on list commands' entry attribute" +for LC in ${LISTSC}; do + checkACL "cn=ListCreator" "${LC}" entry +done | isOK '=a$' + +msg "Have =0 access on other list command attributes" +for LC in ${LISTSC}; do + checkACL "cn=ListCreator" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias +done | isOK '=0$' children + + +########################################################################### + +echo +echo "Service AdminWebPanel" + +msg "Have =0 access on domain attributes" +for D in ${DOMAINS}; do + checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description +done | isOK 'none(=0)$' entry + +msg "Have =0 access on mailbox attributes" +for U in ${USERS}; do + checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description +done | isOK 'none(=0)$' entry + +msg "Have =0 access on alias attributes" +for A in ${ALIASES}; do + checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description +done | isOK 'none(=0)$' entry + +msg "Have =0 access on list attributes" +for L in ${LISTS}; do + checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostIsStatusPending +done | isOK 'none(=0)$' entry + +msg "Have =0 access on other list command attributes" +for LC in ${LISTSC}; do + checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias +done | isOK 'none(=0)$' entry + +if sudo -u fpanel klist >/dev/null; then + msg "Can SASL authenticate (GSSAPI)" + DN=$(echo "dn:cn=AdminWebPanel,${SUFFIXS}" | tr [A-Z] [a-z]) + DN2=$(sudo -u fpanel ldapwhoami -Q | tr [A-Z] [a-z]) + if [ "${DN}" = "${DN2}" ]; then echo ok; else echo fail; fi | isOK '^ok$' + + msg "Can proxy authorize" + for U in ${USERS}; do + DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z]) + DN2=$(sudo -u fpanel ldapwhoami -Q -X "${DN}" | tr [A-Z] [a-z]) + if [ "${DN}" = "${DN2}" ]; then echo ok; else echo fail; fi + done | isOK '^ok$' +else + echo "WARN: No valid ticket found. Didn't check SSAL authentication" +fi + rm "${RES}" |