diff options
Diffstat (limited to 'ldap/test-user-acl.sh')
-rwxr-xr-x | ldap/test-user-acl.sh | 87 |
1 files changed, 14 insertions, 73 deletions
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 6983706..b3fd930 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -545,26 +545,21 @@ echo "Authenticated users, access to alias entries" # * entry: # =s for all # +a if canCreateAlias -# +rd if alias owner, domain owner or domain postmaster -# +z (regular alias) if alias owner -# +w (regular alias) if domain owner or domain postmaster +# +zrd if alias owner, domain owner or domain postmaster # * children: # =0 for all # * objectClass: # =s for all # * fva: -# =rscd (reserved alias) if domain owner or domain postmaster -# =wrscd (regular alias) if alias owner, domain owner or domain postmaster +# =wrscd if alias owner, domain owner or domain postmaster # * fripostMaildrop: # =wrscd if alias owner, domain owner or domain postmaster # * fripostIsStatusActive: -# =rscd (reserved alias) if domain owner or domain postmaster -# =wrscd (regular alias) if alias owner, domain owner or domain postmaster +# =wrscd if alias owner, domain owner or domain postmaster # * fripostOwner: # =d for all -# +rsc (reserved alias) if domain owner or domain postmaster -# +rsc (regular alias) if alias owner, domain owner or domain postmaster -# +w (regular alias) if domain owner or domain postmaster +# +rsc if alias owner, domain owner or domain postmaster +# +w if domain owner or domain postmaster # * description: # =wrscd if alias owner, domain owner or domain postmaster @@ -590,70 +585,16 @@ msg "Have =s access to \"objectClass\"" usersD objectClass | isOK '=s' objectClass [ $? -eq 0 ] || exit $? -RESERVED_ATTRS="entry/delete - fva/write - fripostIsStatusActive/write" -RESERVED_ATTRS2="fripostOwner/add fripostOwner/delete" -ATTRS="entry/read entry/disclose - fva/read fva/search fva/compare fva/disclose +ATTRS="entry/delete entry/read entry/disclose + fva/write fva/read fva/search fva/compare fva/disclose fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose - fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose + fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/search description/compare description/disclose" +ATTRSO="fripostOwner/add fripostOwner/delete" -msg "Cannot delete/deactivate/change ownership of reserved aliases" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" = "xabuse" -o "x${LA}" = "xpostmaster" ] && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} - done -done | isOK 'DENIED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can delete/deactivate/change ownership of regular aliases (if alias Owner)" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ - search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} - done -done | isOK 'ALLOWED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can delete/deactivate/change ownership of regular aliases (if domain Owner)" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ - search -s base -b "${DA},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2} - done -done | isOK 'ALLOWED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can delete/deactivate/change ownership of regular aliases (if domain Postmaster)" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ - search -s base -b "${DA},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2} - done -done | isOK 'ALLOWED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can change destination (if alias Owner)" +msg "Can edit alias (if alias Owner)" for U in ${USERS}; do for A in ${ALIASES}; do search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ @@ -663,7 +604,7 @@ done | isOK 'ALLOWED$' entry read [ $? -eq 0 ] || exit $? -msg "Can change destination and create new aliases (if domain Owner)" +msg "Can edit alias and create new aliases (if domain Owner)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" @@ -674,7 +615,7 @@ done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? -msg "Can change destination and create new aliases (if domain Postmaster)" +msg "Can edit alias and create new aliases (if domain Postmaster)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" @@ -731,7 +672,7 @@ for U in ${USERS}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS2} + checkACL "${U}" "${A}" ${ATTRSO} done done | isOK 'DENIED$' fripostOwner add [ $? -eq 0 ] || exit $? @@ -744,7 +685,7 @@ for U in ${USERS}; do search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${ATTRS} + checkACL "${U}" "${A}" ${ATTRS} ${ATTRSO} done done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? |