diff options
Diffstat (limited to 'ldap/test-user-acl.sh')
-rwxr-xr-x | ldap/test-user-acl.sh | 130 |
1 files changed, 113 insertions, 17 deletions
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 7046716..3023152 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -215,6 +215,16 @@ usersB ${OPERATTRS} | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? +msg "Cannot create children under a pending entry" +for U in ${USERS}; do + for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + checkACL "${U}" "${X}" children + done +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? + + ########################################################################### @@ -227,7 +237,7 @@ echo "Authenticated users, access to domain entries" # +rd if children, canAdd{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: -# =w for all +# =w for all (non-pending entries) # * objectClass: # =s for all # * fvd: @@ -345,8 +355,13 @@ done | isOK 'DENIED$' entry add # We ensure not to give +a/+z access to the \"entry\" attribute of the # children, unless justified (required to add/delete a child). -msg "Have =w access to \"children\"" -usersD children | isOK '=w$' children +msg "Have =w access to \"children\" (for non-pending attributes)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" children + done +done | isOK '=w$' children [ $? -eq 0 ] || exit $? msg "Have =s access to \"objectClass\"" @@ -391,7 +406,7 @@ ATTRSA="fripostOwner/read fripostOwner/compare msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -403,7 +418,7 @@ msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlia for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -417,7 +432,7 @@ ATTRSL="fripostOwner/read fripostOwner/compare msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -429,7 +444,7 @@ msg "Have >=rscd access to the public attributes and >=a to \"children\" (if Can for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -448,7 +463,7 @@ ATTRSO="entry/delete description/add description/delete" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} done done | isOK 'ALLOWED$' children @@ -464,7 +479,7 @@ ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete fripostCanAddList/add fripostCanAddList/delete" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP} done done | isOK 'ALLOWED$' children @@ -720,8 +735,8 @@ usersD objectClass | isOK '=s' objectClass [ $? -eq 0 ] || exit $? -ATTRS="entry/delete entry/read entry/disclose - fva/write fva/read fva/search fva/compare fva/disclose +ATTRS="entry/delete entry/read entry/disclose + fva/write fva/read fva/search fva/compare fva/disclose fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose @@ -845,7 +860,7 @@ echo "Authenticated users, access to list entries" # * fripostIsStatusActive: # =wrscd if list owner, domain owner or domain postmaster # * fripostPendingToken: -# =rscd if list owner, domain owner or domain postmaster +# =scd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all # +rsc if list owner, domain owner or domain postmaster @@ -1000,7 +1015,7 @@ done | isOK 'DENIED$' entry delete msg "Have =0 access to the list command entries" for U in ${USERS}; do for LC in ${LISTSC}; do - checkACL "${U}" "${LC}" + checkACL "${U}" "${LC}" done done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1009,6 +1024,7 @@ done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry ########################################################################### +SUFFIX0="${SUFFIX}" SUFFIX="${SUFFIXS}" echo @@ -1100,7 +1116,7 @@ done | isOK '=sd$' objectClass msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} + checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} done | isOK '=0$' children [ $? -eq 0 ] || exit $? @@ -1112,7 +1128,7 @@ echo "Service ListCreator" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description + checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1142,6 +1158,7 @@ done | isOK '=rsd$' msg "Have =a access on lists' children attribute" for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ checkACL "cn=ListCreator" "${L}" children done | isOK '=a$' [ $? -eq 0 ] || exit $? @@ -1168,11 +1185,90 @@ done | isOK '=0$' children ########################################################################### echo +echo "Service DeletePendingEntries" + +msg "Have =z access on the \"children\" attribute of non-pending entries" +(checkACL "cn=DeletePendingEntries" "" children +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "cn=DeletePendingEntries" "${X}" children +done) | isOK '=z$' children +[ $? -eq 0 ] || exit $? + +msg "Have =zrsd access on the \"entry\" attribute of pending entries" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + checkACL "cn=DeletePendingEntries" "${X}" entry +done | isOK '=zrsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Have =s access on the \"entry\" attribute of non-pending entries" +(checkACL "cn=DeletePendingEntries" "" entry +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "cn=DeletePendingEntries" "${X}" entry +done) | isOK '=s$' entry +[ $? -eq 0 ] || exit $? + +msg "Have =sd access on the attributes it needs on pending entries" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken +done | isOK '=sd$' fripostPendingToken +[ $? -eq 0 ] || exit $? + +msg "Have =0 access these attributes for non-pending entries" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken +done | isOK '=0$' fripostPendingToken +[ $? -eq 0 ] || exit $? + +msg "Have =s access on the object class" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + checkACL "cn=DeletePendingEntries" "${X}" objectClass +done | isOK '=s$' objectClass +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other domain attributes" +for D in ${DOMAINS}; do + checkACL "cn=DeletePendingEntries" "${D}" fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description +done | isOK '=0$' fvd +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other user attributes" +for U in ${USERS}; do + checkACL "cn=DeletePendingEntries" "${U}" fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description +done | isOK '=0$' fvu +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other alias attributes" +for A in ${ALIASES}; do + checkACL "cn=DeletePendingEntries" "${A}" fva fripostMaildrop fripostIsStatusActive fripostOwner description +done | isOK '=0$' fva +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other list attributes" +for L in ${LISTS}; do + checkACL "cn=DeletePendingEntries" "${L}" fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description +done | isOK '=0$' fvl +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other list command attributes" +for LC in ${LISTSC}; do + checkACL "cn=AdminWebPanel" "${LC}" fvlc fripostLocalAlias +done | isOK '=0$' fvlc +[ $? -eq 0 ] || exit $? + + +########################################################################### + +echo echo "Service AdminWebPanel" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description + checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1194,7 +1290,7 @@ for L in ${LISTS}; do done | isOK '=0$' entry [ $? -eq 0 ] || exit $? -msg "Have =0 access on other list command attributes" +msg "Have =0 access on list command attributes" for LC in ${LISTSC}; do checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias done | isOK '=0$' entry |