diff options
| -rw-r--r-- | ldap/acl.ldif | 50 | ||||
| -rw-r--r-- | ldap/populate.ldif | 20 | ||||
| -rwxr-xr-x | ldap/test-user-acl.sh | 281 |
3 files changed, 312 insertions, 39 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 7b19d5f..5cc0ef0 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -84,9 +84,9 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by dnattr=fripostOwner =z break by * =0 break # -# The list creation service can delete the 'pending' status on lists. +# The list creation service can delete the 'pending' status on lists and list commands. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry)) attrs=objectClass val=FripostPendingEntry by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =z break by * +0 break @@ -97,7 +97,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by * +rscd # # The pending token is not public, but domain owner and postmasters can check their and -# delete it (upon success, but it's done on the library side). +# delete it (if the token matches, but the check is done on the library side). olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)) attrs=fripostPendingToken @@ -105,9 +105,9 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by dnattr=fripostOwner =zcd break by * +0 break # -# The list creation service can delete the 'pending' status on lists. +# The list creation service can delete the 'pending' status on lists and list commands. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry)) attrs=fripostPendingToken by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +z by * +0 @@ -119,14 +119,6 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break by * =0 break # -# Only the list creation service may add list commands. (It seems unsafe since it can create -# arbitrary commands, but as other services it run in safe environments only.) -# (Listcommands are not concerned by the cleaning service.) -olcAccess: to dn.regex="^fvl=[^,]+-[^,-]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualListCommand) - attrs=entry - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a -# # One can search search everywhere in the virtual tree. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry @@ -149,7 +141,6 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev" filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # # The cleaning service needs to know when entries have been created. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" @@ -159,6 +150,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # # Users can use these in filters (e.g., to list the entries they have created). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)) attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break # @@ -352,18 +344,38 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # -# 1-3. People with "canAddList" access can create lists, but only with a -# 'pending' status. -# 4. The list creation service can search and browse the entry. +# 1. The domain owner can create and delete lists, but only those with a 'pending' status +# 2. So can the domain postmaster. +# 3. The list owner can delete pending lists. +# 4. The entry creator can delete pending lists (needed to be able to rollback). +# 5. People with "canAddList" access can create lists, but only with a 'pending' status. +# 6. The list creation service can search and browse the entry. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) attrs=entry - by group/FripostVirtualDomain/fripostOwner.expand="$1" +a break - by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +a break + by group/FripostVirtualDomain/fripostOwner.expand="$1" +w break + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w break + by dnattr=fripostOwner +z continue + by dnattr=creatorsName +z continue by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a break by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd by * +0 break # +# 1. The domain owner can create and delete list commands, but only those with a 'pending' status +# 2. So can the domain postmaster. +# 3. The entry creator can delete pending list commands (needed to be able to rollback). +# 4. People with "canAddList" access can create list commands, but only with a 'pending' status. +# 5. The list creation service can search and browse the entry. +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(&(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry)) + attrs=entry + by group/FripostVirtualDomain/fripostOwner.expand="$1" +w + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w + by dnattr=creatorsName +z continue + by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd + by * +0 +# # 1. The list owners can read the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. diff --git a/ldap/populate.ldif b/ldap/populate.ldif index edd5d73..73d11fa 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -220,6 +220,26 @@ FripostLocalAlias: list-request#postmastered.org objectClass: SimpleSecurityObject userPassword: bogus +dn: fvl=list-request,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualListCommand +objectClass: FripostPendingEntry +FripostLocalAlias: list-request#example2.org + +dn: fvl=list-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualListCommand +objectClass: FripostPendingEntry +FripostLocalAlias: list-request#example3.org + +dn: fvl=list2-request,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualListCommand +objectClass: FripostPendingEntry +FripostLocalAlias: list2-request#postmastered.org + +dn: fvl=list3-request,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualListCommand +objectClass: FripostPendingEntry +FripostLocalAlias: list2-request#postmastered.org + dn: fvl=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser userPassword: user diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index cfa577d..5e92a3c 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -421,6 +421,16 @@ usersD ${OPERATTRS} | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? +msg "Cannot create non-pending entries" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'DENIED$' entry add +[ $? -eq 0 ] || exit $? + + # We check the following permissions: # 0. Simple user # 1. canAddAlias (exact,wildcard) @@ -894,7 +904,8 @@ echo "Authenticated users, access to list entries" # * entry: # =s for all # +a if canAddList, domain owner or domain postmaster -# +rd if list owner, domain owner or domain postmaster +# +z if creator +# +zrd if list owner, domain owner or domain postmaster # * children: # =0 for all # * objectClass @@ -942,12 +953,22 @@ done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? -msg "Cannot delete entry or the pending status" +msg "Cannot remove the pending status" for U in ${USERS}; do for L in ${LISTS}; do - checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry entry/delete + checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry done -done | isOK 'DENIED$' entry +done | isOK 'DENIED$' 'objectClass=FripostPendingEntry' delete +[ $? -eq 0 ] || exit $? + + +msg "Cannot create or delete non-pending entries" +for U in ${USERS}; do + for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \ + checkACL "${U}" "${L}" entry/delete entry/add + done +done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? @@ -1000,7 +1021,7 @@ for U in ${USERS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ - checkACL "${U}" "${L}" entry/add + checkACL "${U}" "${L}" entry/add entry/delete done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? @@ -1015,7 +1036,7 @@ for U in ${USERS}; do search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done -done | isOK 'ALLOWED$' entry add +done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? @@ -1046,22 +1067,68 @@ done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? -msg "Do not have >=a access to \"entry\" (unless canAddList)" +msg "Have >=z access to \"entry\" (if pending list owner)" +for U in ${USERS}; do + for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(fripostOwner=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/delete + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have >=z access to \"entry\" (if pending list creator)" +ldapadd -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' > /dev/null << EOF +dn: fvl=testlist,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +objectClass: FripostPendingEntry +FripostLocalAlias: testlist#example3.org +fripostListManager: mailman +fripostIsStatusActive: TRUE +EOF +for U in ${USERS}; do + for L in ${LISTS} 'fvl=testlist,fvd=example3.org'; do + search -s base -b "${L},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(creatorsName=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/delete + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? +ldapdelete -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' \ + "fvl=testlist,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" > /dev/null + + +msg "Do not have +a access to \"entry\" (unless canAddList on pending lists)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DL},${SUFFIX}" "(!(|(fripostCanAddList=${U},${SUFFIX}) - (fripostCanAddList=${DU},${SUFFIX}) - (fripostOwner=${U},${SUFFIX}) - (fripostPostmaster=${U},${SUFFIX})))" | grep -q '^dn: ' || \ - search -s base -b "${L},${SUFFIX}" "(!(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \ + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) + (fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ checkACL "${U}" "${L}" entry/add done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? +msg "Do not have +z access to \"entry\" (unless canAddList on pending lists)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(fripostOwner=${U},${SUFFIX})" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(creatorsName=${U},${SUFFIX})" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "${U}" "${L}" entry/delete + done +done | isOK 'DENIED$' entry +[ $? -eq 0 ] || exit $? + + msg "Cannot manage ownership (unless domain owner/domain postmaster)" for U in ${USERS}; do for L in ${LISTS}; do @@ -1086,15 +1153,174 @@ for U in ${USERS}; do done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? -msg "Have =0 access to the list command entries" + +########################################################################### + + +echo +echo "Authenticated users, access to list command entries" + +# * entry: +# =s for all +# +a if canAddList, domain owner or domain postmaster +# +zrd if creator, domain owner or domain postmaster +# * children: +# =0 for all +# * objectClass +# =rscd for all +# * fvl: +# =0 forall +# * localAlias: +# =0 for all + + +usersLC () { + for U in ${USERS}; do + for LC in ${LISTSC}; do + checkACL "${U}" "${LC}" "$@" + done + done +} + +msg "Have >=s access on \"entry\"" +usersLC entry/search | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? + +msg "Cannot read entries" +usersLC entry/read entry/disclose | isOK 'DENIED$' entry read +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access the \"children\", \"localAlias\" and operational attributes" +usersLC children fripostLocalAlias ${OPERATTRS} | isOK '=0$' children +[ $? -eq 0 ] || exit $? + + +msg "Cannot remove the pending status" +for U in ${USERS}; do + for LC in ${LISTSC}; do + checkACL "${U}" "${LC}" objectClass/delete:FripostPendingEntry + done +done | isOK 'DENIED$' 'objectClass=FripostPendingEntry' delete +[ $? -eq 0 ] || exit $? + + +msg "Cannot create or delete non-pending entries" +for U in ${USERS}; do + for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'DENIED$' entry add +[ $? -eq 0 ] || exit $? + + +msg "Can create list command (if domain Owner)" +[ $? -eq 0 ] || exit $? +for U in ${USERS}; do + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +msg "Can create list command (if domain Postmaster)" +[ $? -eq 0 ] || exit $? +for U in ${USERS}; do + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddList, exact)" for U in ${USERS}; do for LC in ${LISTSC}; do - checkACL "${U}" "${LC}" + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add done -done | grep -Ev '^objectClass=' | isOK '=0$' entry +done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddList, wildcard)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have >=z access to \"entry\" (if pending list command creator)" +ldapadd -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' > /dev/null << EOF +dn: fvl=test-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualListCommand +objectClass: FripostPendingEntry +FripostLocalAlias: test-request#example3.org +EOF +for U in ${USERS}; do + for LC in ${LISTSC} 'fvl=test-request,fvd=example3.org'; do + search -s base -b "${LC},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(creatorsName=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/delete + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? +ldapdelete -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' \ + "fvl=test-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" > /dev/null + + +msg "Do not have >=a access to \"entry\" (unless canAddList)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) + (fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "${U}" "${L}" entry/add + done +done | isOK 'DENIED$' entry +[ $? -eq 0 ] || exit $? + + +msg "Do not have +a or +z access to \"entry\" (unless canAddList on pending lists)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) + (fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${LC},${SUFFIX}" "(creatorsName=${U},${SUFFIX})" | grep -q '^dn: ' || \ + search -s base -b "${LC},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'DENIED$' entry add +[ $? -eq 0 ] || exit $? + + + + ########################################################################### @@ -1206,8 +1432,15 @@ for L in ${LISTS}; do done | isOK 'ALLOWED$' [ $? -eq 0 ] || exit $? +msg "Can remove the 'pending' status on list commands" +for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ + checkACL "cn=CreateList" "${LC}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete +done | isOK 'ALLOWED$' +[ $? -eq 0 ] || exit $? + msg "Cannot create a 'pending' satus" -for L in ${LISTS}; do +for L in ${LISTS} ${LISTSC}; do search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete done | isOK 'DENIED$' @@ -1226,11 +1459,11 @@ for L in ${LISTS}; do done | isOK '=rsd$' [ $? -eq 0 ] || exit $? -msg "Have =a access on domains' children attribute" +msg "Have =0 access on domains' children attribute" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ checkACL "cn=CreateList" "${D}" children -done | isOK '=a$' +done | isOK '=0$' [ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" @@ -1239,10 +1472,11 @@ for L in ${LISTS}; do done | isOK '=0$' fvl [ $? -eq 0 ] || exit $? -msg "Have =a access on list commands' entry attribute" +msg "Have =rsd access on pending list commands' \"entry\" attribute" for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ checkACL "cn=CreateList" "${LC}" entry -done | isOK '=a$' +done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" @@ -1251,6 +1485,13 @@ for LC in ${LISTSC}; do done | isOK '=0$' children [ $? -eq 0 ] || exit $? +msg "Cannot read non pending list commands" +for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "cn=CreateList" "${LC}" entry/read entry/write +done | isOK 'DENIED$' entry read +[ $? -eq 0 ] || exit $? + ########################################################################### |