aboutsummaryrefslogtreecommitdiffstats
path: root/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'ldap')
-rw-r--r--ldap/acl.ldif50
-rw-r--r--ldap/populate.ldif20
-rwxr-xr-xldap/test-user-acl.sh281
3 files changed, 312 insertions, 39 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 7b19d5f..5cc0ef0 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -84,9 +84,9 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by dnattr=fripostOwner =z break
by * =0 break
#
-# The list creation service can delete the 'pending' status on lists.
+# The list creation service can delete the 'pending' status on lists and list commands.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
+ filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry))
attrs=objectClass val=FripostPendingEntry
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =z break
by * +0 break
@@ -97,7 +97,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by * +rscd
#
# The pending token is not public, but domain owner and postmasters can check their and
-# delete it (upon success, but it's done on the library side).
+# delete it (if the token matches, but the check is done on the library side).
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry))
attrs=fripostPendingToken
@@ -105,9 +105,9 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by dnattr=fripostOwner =zcd break
by * +0 break
#
-# The list creation service can delete the 'pending' status on lists.
+# The list creation service can delete the 'pending' status on lists and list commands.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
+ filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry))
attrs=fripostPendingToken
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +z
by * +0
@@ -119,14 +119,6 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break
by * =0 break
#
-# Only the list creation service may add list commands. (It seems unsafe since it can create
-# arbitrary commands, but as other services it run in safe environments only.)
-# (Listcommands are not concerned by the cleaning service.)
-olcAccess: to dn.regex="^fvl=[^,]+-[^,-]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=FripostVirtualListCommand)
- attrs=entry
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
-#
# One can search search everywhere in the virtual tree.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry
@@ -149,7 +141,6 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
#
# The cleaning service needs to know when entries have been created.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
@@ -159,6 +150,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
#
# Users can use these in filters (e.g., to list the entries they have created).
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
#
@@ -352,18 +344,38 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
-# 1-3. People with "canAddList" access can create lists, but only with a
-# 'pending' status.
-# 4. The list creation service can search and browse the entry.
+# 1. The domain owner can create and delete lists, but only those with a 'pending' status
+# 2. So can the domain postmaster.
+# 3. The list owner can delete pending lists.
+# 4. The entry creator can delete pending lists (needed to be able to rollback).
+# 5. People with "canAddList" access can create lists, but only with a 'pending' status.
+# 6. The list creation service can search and browse the entry.
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
attrs=entry
- by group/FripostVirtualDomain/fripostOwner.expand="$1" +a break
- by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +a break
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" +w break
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w break
+ by dnattr=fripostOwner +z continue
+ by dnattr=creatorsName +z continue
by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a break
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd
by * +0 break
#
+# 1. The domain owner can create and delete list commands, but only those with a 'pending' status
+# 2. So can the domain postmaster.
+# 3. The entry creator can delete pending list commands (needed to be able to rollback).
+# 4. People with "canAddList" access can create list commands, but only with a 'pending' status.
+# 5. The list creation service can search and browse the entry.
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(&(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry))
+ attrs=entry
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" +w
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w
+ by dnattr=creatorsName +z continue
+ by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd
+ by * +0
+#
# 1. The list owners can read the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index edd5d73..73d11fa 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -220,6 +220,26 @@ FripostLocalAlias: list-request#postmastered.org
objectClass: SimpleSecurityObject
userPassword: bogus
+dn: fvl=list-request,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualListCommand
+objectClass: FripostPendingEntry
+FripostLocalAlias: list-request#example2.org
+
+dn: fvl=list-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualListCommand
+objectClass: FripostPendingEntry
+FripostLocalAlias: list-request#example3.org
+
+dn: fvl=list2-request,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualListCommand
+objectClass: FripostPendingEntry
+FripostLocalAlias: list2-request#postmastered.org
+
+dn: fvl=list3-request,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualListCommand
+objectClass: FripostPendingEntry
+FripostLocalAlias: list2-request#postmastered.org
+
dn: fvl=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
userPassword: user
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index cfa577d..5e92a3c 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -421,6 +421,16 @@ usersD ${OPERATTRS} | isOK '=0$' entryUUID
[ $? -eq 0 ] || exit $?
+msg "Cannot create non-pending entries"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \
+ checkACL "${U}" "${D}" entry/add
+ done
+done | isOK 'DENIED$' entry add
+[ $? -eq 0 ] || exit $?
+
+
# We check the following permissions:
# 0. Simple user
# 1. canAddAlias (exact,wildcard)
@@ -894,7 +904,8 @@ echo "Authenticated users, access to list entries"
# * entry:
# =s for all
# +a if canAddList, domain owner or domain postmaster
-# +rd if list owner, domain owner or domain postmaster
+# +z if creator
+# +zrd if list owner, domain owner or domain postmaster
# * children:
# =0 for all
# * objectClass
@@ -942,12 +953,22 @@ done | isOK 'DENIED$' fripostListManager
[ $? -eq 0 ] || exit $?
-msg "Cannot delete entry or the pending status"
+msg "Cannot remove the pending status"
for U in ${USERS}; do
for L in ${LISTS}; do
- checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry entry/delete
+ checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry
done
-done | isOK 'DENIED$' entry
+done | isOK 'DENIED$' 'objectClass=FripostPendingEntry' delete
+[ $? -eq 0 ] || exit $?
+
+
+msg "Cannot create or delete non-pending entries"
+for U in ${USERS}; do
+ for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \
+ checkACL "${U}" "${L}" entry/delete entry/add
+ done
+done | isOK 'DENIED$' entry delete
[ $? -eq 0 ] || exit $?
@@ -1000,7 +1021,7 @@ for U in ${USERS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
- checkACL "${U}" "${L}" entry/add
+ checkACL "${U}" "${L}" entry/add entry/delete
done
done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
@@ -1015,7 +1036,7 @@ for U in ${USERS}; do
search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
checkACL "${U}" "${L}" entry/add
done
-done | isOK 'ALLOWED$' entry add
+done | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
@@ -1046,22 +1067,68 @@ done | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
-msg "Do not have >=a access to \"entry\" (unless canAddList)"
+msg "Have >=z access to \"entry\" (if pending list owner)"
+for U in ${USERS}; do
+ for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(fripostOwner=${U},${SUFFIX}))" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" entry/delete
+ done
+done | isOK 'ALLOWED$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have >=z access to \"entry\" (if pending list creator)"
+ldapadd -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' > /dev/null << EOF
+dn: fvl=testlist,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+objectClass: FripostPendingEntry
+FripostLocalAlias: testlist#example3.org
+fripostListManager: mailman
+fripostIsStatusActive: TRUE
+EOF
+for U in ${USERS}; do
+ for L in ${LISTS} 'fvl=testlist,fvd=example3.org'; do
+ search -s base -b "${L},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(creatorsName=${U},${SUFFIX}))" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" entry/delete
+ done
+done | isOK 'ALLOWED$' entry
+[ $? -eq 0 ] || exit $?
+ldapdelete -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' \
+ "fvl=testlist,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" > /dev/null
+
+
+msg "Do not have +a access to \"entry\" (unless canAddList on pending lists)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DL},${SUFFIX}" "(!(|(fripostCanAddList=${U},${SUFFIX})
- (fripostCanAddList=${DU},${SUFFIX})
- (fripostOwner=${U},${SUFFIX})
- (fripostPostmaster=${U},${SUFFIX})))" | grep -q '^dn: ' || \
- search -s base -b "${L},${SUFFIX}" "(!(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
+ (fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+ search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
checkACL "${U}" "${L}" entry/add
done
done | isOK 'DENIED$' entry
[ $? -eq 0 ] || exit $?
+msg "Do not have +z access to \"entry\" (unless canAddList on pending lists)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+ search -s base -b "${L},${SUFFIX}" "(fripostOwner=${U},${SUFFIX})" | grep -q '^dn: ' || \
+ search -s base -b "${L},${SUFFIX}" "(creatorsName=${U},${SUFFIX})" | grep -q '^dn: ' || \
+ search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+ checkACL "${U}" "${L}" entry/delete
+ done
+done | isOK 'DENIED$' entry
+[ $? -eq 0 ] || exit $?
+
+
msg "Cannot manage ownership (unless domain owner/domain postmaster)"
for U in ${USERS}; do
for L in ${LISTS}; do
@@ -1086,15 +1153,174 @@ for U in ${USERS}; do
done | isOK 'DENIED$' entry delete
[ $? -eq 0 ] || exit $?
-msg "Have =0 access to the list command entries"
+
+###########################################################################
+
+
+echo
+echo "Authenticated users, access to list command entries"
+
+# * entry:
+# =s for all
+# +a if canAddList, domain owner or domain postmaster
+# +zrd if creator, domain owner or domain postmaster
+# * children:
+# =0 for all
+# * objectClass
+# =rscd for all
+# * fvl:
+# =0 forall
+# * localAlias:
+# =0 for all
+
+
+usersLC () {
+ for U in ${USERS}; do
+ for LC in ${LISTSC}; do
+ checkACL "${U}" "${LC}" "$@"
+ done
+ done
+}
+
+msg "Have >=s access on \"entry\""
+usersLC entry/search | isOK 'ALLOWED$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Cannot read entries"
+usersLC entry/read entry/disclose | isOK 'DENIED$' entry read
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 access the \"children\", \"localAlias\" and operational attributes"
+usersLC children fripostLocalAlias ${OPERATTRS} | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
+
+
+msg "Cannot remove the pending status"
+for U in ${USERS}; do
+ for LC in ${LISTSC}; do
+ checkACL "${U}" "${LC}" objectClass/delete:FripostPendingEntry
+ done
+done | isOK 'DENIED$' 'objectClass=FripostPendingEntry' delete
+[ $? -eq 0 ] || exit $?
+
+
+msg "Cannot create or delete non-pending entries"
+for U in ${USERS}; do
+ for LC in ${LISTSC}; do
+ search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' || \
+ checkACL "${U}" "${LC}" entry/add entry/delete
+ done
+done | isOK 'DENIED$' entry add
+[ $? -eq 0 ] || exit $?
+
+
+msg "Can create list command (if domain Owner)"
+[ $? -eq 0 ] || exit $?
+for U in ${USERS}; do
+ for LC in ${LISTSC}; do
+ DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+ checkACL "${U}" "${LC}" entry/add entry/delete
+ done
+done | isOK 'ALLOWED$' entry add
+[ $? -eq 0 ] || exit $?
+
+
+msg "Can create list command (if domain Postmaster)"
+[ $? -eq 0 ] || exit $?
+for U in ${USERS}; do
+ for LC in ${LISTSC}; do
+ DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+ checkACL "${U}" "${LC}" entry/add entry/delete
+ done
+done | isOK 'ALLOWED$' entry add
+[ $? -eq 0 ] || exit $?
+
+
+# Needed to create new entries. ("+z" is required to delete, btw.)
+msg "Have >=a access to \"entry\" (if CanAddList, exact)"
for U in ${USERS}; do
for LC in ${LISTSC}; do
- checkACL "${U}" "${LC}"
+ DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+ checkACL "${U}" "${LC}" entry/add
done
-done | grep -Ev '^objectClass=' | isOK '=0$' entry
+done | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
+# Needed to create new entries. ("+z" is required to delete, btw.)
+msg "Have >=a access to \"entry\" (if CanAddList, wildcard)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ for LC in ${LISTSC}; do
+ DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${LC},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+ checkACL "${U}" "${LC}" entry/add
+ done
+done | isOK 'ALLOWED$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have >=z access to \"entry\" (if pending list command creator)"
+ldapadd -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' > /dev/null << EOF
+dn: fvl=test-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualListCommand
+objectClass: FripostPendingEntry
+FripostLocalAlias: test-request#example3.org
+EOF
+for U in ${USERS}; do
+ for LC in ${LISTSC} 'fvl=test-request,fvd=example3.org'; do
+ search -s base -b "${LC},${SUFFIX}" "(&(objectClass=FripostPendingEntry)(creatorsName=${U},${SUFFIX}))" | grep -q '^dn: ' && \
+ checkACL "${U}" "${LC}" entry/delete
+ done
+done | isOK 'ALLOWED$' entry
+[ $? -eq 0 ] || exit $?
+ldapdelete -w user2 -xD 'fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev' \
+ "fvl=test-request,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" > /dev/null
+
+
+msg "Do not have >=a access to \"entry\" (unless canAddList)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
+ (fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+ search -s base -b "${L},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+ checkACL "${U}" "${L}" entry/add
+ done
+done | isOK 'DENIED$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Do not have +a or +z access to \"entry\" (unless canAddList on pending lists)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ for LC in ${LISTSC}; do
+ DL="$(echo "${LC}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
+ (fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+ search -s base -b "${LC},${SUFFIX}" "(creatorsName=${U},${SUFFIX})" | grep -q '^dn: ' || \
+ search -s base -b "${LC},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+ checkACL "${U}" "${LC}" entry/add entry/delete
+ done
+done | isOK 'DENIED$' entry add
+[ $? -eq 0 ] || exit $?
+
+
+
+
###########################################################################
@@ -1206,8 +1432,15 @@ for L in ${LISTS}; do
done | isOK 'ALLOWED$'
[ $? -eq 0 ] || exit $?
+msg "Can remove the 'pending' status on list commands"
+for LC in ${LISTSC}; do
+ search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
+ checkACL "cn=CreateList" "${LC}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete
+done | isOK 'ALLOWED$'
+[ $? -eq 0 ] || exit $?
+
msg "Cannot create a 'pending' satus"
-for L in ${LISTS}; do
+for L in ${LISTS} ${LISTSC}; do
search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete
done | isOK 'DENIED$'
@@ -1226,11 +1459,11 @@ for L in ${LISTS}; do
done | isOK '=rsd$'
[ $? -eq 0 ] || exit $?
-msg "Have =a access on domains' children attribute"
+msg "Have =0 access on domains' children attribute"
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
checkACL "cn=CreateList" "${D}" children
-done | isOK '=a$'
+done | isOK '=0$'
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list attributes"
@@ -1239,10 +1472,11 @@ for L in ${LISTS}; do
done | isOK '=0$' fvl
[ $? -eq 0 ] || exit $?
-msg "Have =a access on list commands' entry attribute"
+msg "Have =rsd access on pending list commands' \"entry\" attribute"
for LC in ${LISTSC}; do
+ search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
checkACL "cn=CreateList" "${LC}" entry
-done | isOK '=a$'
+done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list command attributes"
@@ -1251,6 +1485,13 @@ for LC in ${LISTSC}; do
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
+msg "Cannot read non pending list commands"
+for LC in ${LISTSC}; do
+ search -s base -b "${LC},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+ checkACL "cn=CreateList" "${LC}" entry/read entry/write
+done | isOK 'DENIED$' entry read
+[ $? -eq 0 ] || exit $?
+
###########################################################################