diff options
Diffstat (limited to 'ldap/test-user-acl.sh')
| -rwxr-xr-x | ldap/test-user-acl.sh | 281 |
1 files changed, 261 insertions, 20 deletions
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index cfa577d..5e92a3c 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -421,6 +421,16 @@ usersD ${OPERATTRS} | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? +msg "Cannot create non-pending entries" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'DENIED$' entry add +[ $? -eq 0 ] || exit $? + + # We check the following permissions: # 0. Simple user # 1. canAddAlias (exact,wildcard) @@ -894,7 +904,8 @@ echo "Authenticated users, access to list entries" # * entry: # =s for all # +a if canAddList, domain owner or domain postmaster -# +rd if list owner, domain owner or domain postmaster +# +z if creator +# +zrd if list owner, domain owner or domain postmaster # * children: # =0 for all # * objectClass @@ -942,12 +953,22 @@ done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? -msg "Cannot delete entry or the pending status" +msg "Cannot remove the pending status" for U in ${USERS}; do for L in ${LISTS}; do - checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry entry/delete + checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry done -done | isOK 'DENIED$' entry +done | isOK 'DENIED$' 'objectClass=FripostPendingEntry' delete +[ $? -eq 0 ] || exit $? + + +msg "Cannot create or delete non-pending entries" +for U in ${USERS}; do + for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \ + checkACL "${U}" "${L}" entry/delete entry/add + done +done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? @@ -1000,7 +1021,7 @@ for U in ${USERS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ - checkACL "${U}" "${L}" entry/add + checkACL "${U}" "${L}" entry/add entry/delete done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? @@ -1015,7 +1036,7 @@ for U in ${USERS}; do search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done -done | isOK 'ALLOWED$' entry add +done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? @@ -1046,22 +1067,68 @@ done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? -msg "Do not have >=a access to \"entry\" (unless canAddList)" +msg "Have >=z access to \"entry\" (if pending list owner)" +for U in ${USERS}; do + for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(fripostOwner=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/delete + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have >=z access to \"entry\" (if pending list creator)" +ldapadd -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' > /dev/null << EOF +dn: fvl=testlist,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +objectClass: FripostPendingEntry +FripostLocalAlias: testlist#example3.org +fripostListManager: mailman +fripostIsStatusActive: TRUE +EOF +for U in ${USERS}; do + for L in ${LISTS} 'fvl=testlist,fvd=example3.org'; do + search -s base -b "${L},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(creatorsName=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/delete + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? +ldapdelete -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' \ + "fvl=testlist,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" > /dev/null + + +msg "Do not have +a access to \"entry\" (unless canAddList on pending lists)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DL},${SUFFIX}" "(!(|(fripostCanAddList=${U},${SUFFIX}) - (fripostCanAddList=${DU},${SUFFIX}) - (fripostOwner=${U},${SUFFIX}) - (fripostPostmaster=${U},${SUFFIX})))" | grep -q '^dn: ' || \ - search -s base -b "${L},${SUFFIX}" "(!(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \ + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) + (fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ checkACL "${U}" "${L}" entry/add done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? +msg "Do not have +z access to \"entry\" (unless canAddList on pending lists)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(fripostOwner=${U},${SUFFIX})" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(creatorsName=${U},${SUFFIX})" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "${U}" "${L}" entry/delete + done +done | isOK 'DENIED$' entry +[ $? -eq 0 ] || exit $? + + msg "Cannot manage ownership (unless domain owner/domain postmaster)" for U in ${USERS}; do for L in ${LISTS}; do @@ -1086,15 +1153,174 @@ for U in ${USERS}; do done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? -msg "Have =0 access to the list command entries" + +########################################################################### + + +echo +echo "Authenticated users, access to list command entries" + +# * entry: +# =s for all +# +a if canAddList, domain owner or domain postmaster +# +zrd if creator, domain owner or domain postmaster +# * children: +# =0 for all +# * objectClass +# =rscd for all +# * fvl: +# =0 forall +# * localAlias: +# =0 for all + + +usersLC () { + for U in ${USERS}; do + for LC in ${LISTSC}; do + checkACL "${U}" "${LC}" "$@" + done + done +} + +msg "Have >=s access on \"entry\"" +usersLC entry/search | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? + +msg "Cannot read entries" +usersLC entry/read entry/disclose | isOK 'DENIED$' entry read +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access the \"children\", \"localAlias\" and operational attributes" +usersLC children fripostLocalAlias ${OPERATTRS} | isOK '=0$' children +[ $? -eq 0 ] || exit $? + + +msg "Cannot remove the pending status" +for U in ${USERS}; do + for LC in ${LISTSC}; do + checkACL "${U}" "${LC}" objectClass/delete:FripostPendingEntry + done +done | isOK 'DENIED$' 'objectClass=FripostPendingEntry' delete +[ $? -eq 0 ] || exit $? + + +msg "Cannot create or delete non-pending entries" +for U in ${USERS}; do + for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'DENIED$' entry add +[ $? -eq 0 ] || exit $? + + +msg "Can create list command (if domain Owner)" +[ $? -eq 0 ] || exit $? +for U in ${USERS}; do + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +msg "Can create list command (if domain Postmaster)" +[ $? -eq 0 ] || exit $? +for U in ${USERS}; do + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddList, exact)" for U in ${USERS}; do for LC in ${LISTSC}; do - checkACL "${U}" "${LC}" + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add done -done | grep -Ev '^objectClass=' | isOK '=0$' entry +done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddList, wildcard)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/add + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have >=z access to \"entry\" (if pending list command creator)" +ldapadd -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' > /dev/null << EOF +dn: fvl=test-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualListCommand +objectClass: FripostPendingEntry +FripostLocalAlias: test-request#example3.org +EOF +for U in ${USERS}; do + for LC in ${LISTSC} 'fvl=test-request,fvd=example3.org'; do + search -s base -b "${LC},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(creatorsName=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${LC}" entry/delete + done +done | isOK 'ALLOWED$' entry +[ $? -eq 0 ] || exit $? +ldapdelete -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' \ + "fvl=test-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" > /dev/null + + +msg "Do not have >=a access to \"entry\" (unless canAddList)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) + (fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "${U}" "${L}" entry/add + done +done | isOK 'DENIED$' entry +[ $? -eq 0 ] || exit $? + + +msg "Do not have +a or +z access to \"entry\" (unless canAddList on pending lists)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for LC in ${LISTSC}; do + DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) + (fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${LC},${SUFFIX}" "(creatorsName=${U},${SUFFIX})" | grep -q '^dn: ' || \ + search -s base -b "${LC},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "${U}" "${LC}" entry/add entry/delete + done +done | isOK 'DENIED$' entry add +[ $? -eq 0 ] || exit $? + + + + ########################################################################### @@ -1206,8 +1432,15 @@ for L in ${LISTS}; do done | isOK 'ALLOWED$' [ $? -eq 0 ] || exit $? +msg "Can remove the 'pending' status on list commands" +for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ + checkACL "cn=CreateList" "${LC}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete +done | isOK 'ALLOWED$' +[ $? -eq 0 ] || exit $? + msg "Cannot create a 'pending' satus" -for L in ${LISTS}; do +for L in ${LISTS} ${LISTSC}; do search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete done | isOK 'DENIED$' @@ -1226,11 +1459,11 @@ for L in ${LISTS}; do done | isOK '=rsd$' [ $? -eq 0 ] || exit $? -msg "Have =a access on domains' children attribute" +msg "Have =0 access on domains' children attribute" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ checkACL "cn=CreateList" "${D}" children -done | isOK '=a$' +done | isOK '=0$' [ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" @@ -1239,10 +1472,11 @@ for L in ${LISTS}; do done | isOK '=0$' fvl [ $? -eq 0 ] || exit $? -msg "Have =a access on list commands' entry attribute" +msg "Have =rsd access on pending list commands' \"entry\" attribute" for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ checkACL "cn=CreateList" "${LC}" entry -done | isOK '=a$' +done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" @@ -1251,6 +1485,13 @@ for LC in ${LISTSC}; do done | isOK '=0$' children [ $? -eq 0 ] || exit $? +msg "Cannot read non pending list commands" +for LC in ${LISTSC}; do + search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "cn=CreateList" "${LC}" entry/read entry/write +done | isOK 'DENIED$' entry read +[ $? -eq 0 ] || exit $? + ########################################################################### |