From 6689ea9829fd2957ff1c1589b0731eedb5fc8817 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Wed, 26 Sep 2012 02:36:45 +0200
Subject: Updated the LDAP schema to suit the list creation script, and the acl
 to suit the SASL authentication.

---
 ldap/test-user-acl.sh | 212 +++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 193 insertions(+), 19 deletions(-)

(limited to 'ldap/test-user-acl.sh')

diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index b3fd930..12f3d14 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -11,7 +11,9 @@
 
 
 SLAPACL=/usr/sbin/slapacl
-SUFFIX="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+SUFFIXV="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+SUFFIXS="ou=services,o=mailHosting,dc=fripost,dc=dev"
+SUFFIX="${SUFFIXV}"
 
 RES=$(tempfile) || exit 1
 
@@ -19,7 +21,7 @@ checkACL () {
     CMD=${SLAPACL}
     BIND="${1},${SUFFIX}"
     if [ -n "${1}" ]; then CMD="${CMD} -D ${BIND}"; fi
-    if [ -n "${2}" ]; then BASE="${2},${SUFFIX}"; else BASE="${SUFFIX}"; fi
+    if [ -n "${2}" ]; then BASE="${2},${SUFFIXV}"; else BASE="${SUFFIXV}"; fi
     shift; shift
 
     ${CMD} -b "${BASE}" "$@" 2>&1 | grep -vixF -e "authcDN: \"${BIND}\""
@@ -74,6 +76,10 @@ ALIASES=$(search -u  -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \
           grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/')
 LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \
       grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
+LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \
+       grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/')
+
+OPERATTRS="structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp"
 
 
 ########################################################################
@@ -150,7 +156,7 @@ usersB children | isOK '=z$' children
 
 
 msg "Have =0 access to the operational attributes"
-usersB  structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' entryUUID
+usersB ${OPERATTRS} | isOK '=0$' entryUUID
 [ $? -eq 0 ] || exit $?
 
 
@@ -224,7 +230,7 @@ usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access to the operational attributes"
-usersD structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' entryUUID
+usersD ${OPERATTRS} | isOK '=0$' entryUUID
 [ $? -eq 0 ] || exit $?
 
 
@@ -478,7 +484,7 @@ usersU entry/read entry/search entry/disclose fvu/read \
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access to their \"children\" and operational attributes"
-usersU children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
+usersU children ${OPERATTRS} | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
 msg "Have =s access to \"objectClass\""
@@ -532,7 +538,7 @@ usersP entry | isOK '=arsd$' entry
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access to their users' \"children\" and operational attributes (if Postmaster)"
-usersP children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
+usersP children ${OPERATTRS} | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
 
@@ -578,7 +584,7 @@ usersA fripostOwner/search entry/search | isOK 'ALLOWED$' entry
 
 
 msg "Have =0 access to the \"children\" and operational attributes"
-usersA children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
+usersA children ${OPERATTRS} | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
 msg "Have =s access to \"objectClass\""
@@ -701,7 +707,7 @@ echo "Authenticated users, access to list entries"
 # * entry:
 #       =s for all
 #       +a if canCreateList, domain owner or domain postmaster
-#       +zrd if list owner, domain owner or domain postmaster
+#       +rd if list owner, domain owner or domain postmaster
 # * children:
 #       =0 for all
 # * fvl:
@@ -710,7 +716,7 @@ echo "Authenticated users, access to list entries"
 #       =rscd if list owner, domain owner or domain postmaster
 # * fripostIsStatusActive:
 #       =wrscd if list owner, domain owner or domain postmaster
-# * fripostListCommand:
+# * fripostIsStatusPending:
 #       =rscd if list owner, domain owner or domain postmaster
 # * fripostOwner:
 #       =d for all
@@ -734,40 +740,48 @@ usersL fripostOwner/search entry/search | isOK 'ALLOWED$' entry
 
 
 msg "Have =0 access the \"children\" and operational attributes"
-usersL children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
+usersL children ${OPERATTRS} | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
 
-msg "Cannot change transport-related attributes"
+msg "Cannot change transport"
 for U in ${USERS}; do
     for L in ${LISTS}; do
-        checkACL "${U}" "${L}" fripostListCommand/add fripostListCommand/delete \
-                               fripostListManager/write
+        checkACL "${U}" "${L}" fripostListManager/write
     done
 done | isOK 'DENIED$' fripostListManager
 [ $? -eq 0 ] || exit $?
 
 
-ATTRS="entry/read entry/disclose entry/delete
+msg "Cannot edit pending status; Cannot delete entry"
+for U in ${USERS}; do
+    for L in ${LISTS}; do
+        checkACL "${U}" "${L}" fripostIsStatusPending/write entry/delete
+    done
+done | isOK 'DENIED$' fripostIsStatusPending
+[ $? -eq 0 ] || exit $?
+
+
+ATTRS="entry/read entry/disclose
        fvl/write fvl/read fvl/search fvl/compare fvl/disclose
        fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose
        fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
-       fripostListCommand/read fripostListCommand/search fripostListCommand/compare fripostListCommand/disclose
+       fripostIsStatusPending/read fripostIsStatusPending/search fripostIsStatusPending/compare fripostIsStatusPending/disclose
        fripostOwner/read fripostOwner/compare fripostOwner/disclose
        description/add description/delete description/read description/compare description/disclose"
 ATTRS2="fripostOwner/add fripostOwner/delete"
 
-msg "Can edit/delete list (if list Owner)"
+msg "Can edit list (if list Owner)"
 for U in ${USERS}; do
     for L in ${LISTS}; do
         search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
         checkACL "${U}" "${L}" ${ATTRS}
     done
-done | isOK 'ALLOWED$' entry delete
+done | isOK 'ALLOWED$' entry read
 [ $? -eq 0 ] || exit $?
 
 
-msg "Can edit/create/delete list (if domain Owner)"
+msg "Can edit/create list (if domain Owner)"
 [ $? -eq 0 ] || exit $?
 for U in ${USERS}; do
     for L in ${LISTS}; do
@@ -779,7 +793,7 @@ done | isOK 'ALLOWED$' entry add
 [ $? -eq 0 ] || exit $?
 
 
-msg "Can edit/create/delete list (if domain Postmaster)"
+msg "Can edit/create list (if domain Postmaster)"
 [ $? -eq 0 ] || exit $?
 for U in ${USERS}; do
     for L in ${LISTS}; do
@@ -855,9 +869,169 @@ for U in ${USERS}; do
 done | isOK 'DENIED$' entry delete
 [ $? -eq 0 ] || exit $?
 
+msg "Have =0 access to the list command entries"
+for U in ${USERS}; do
+    for LC in ${LISTSC}; do
+        checkACL "${U}" "${LC}" 
+    done
+done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
 
 
 ###########################################################################
 
 
+SUFFIX="${SUFFIXS}"
+
+echo
+echo "Service SMTP"
+
+msg "Can read and search the domain attributes it needs"
+for D in ${DOMAINS}; do
+    checkACL "cn=SMTP" "${D}" entry objectClass fvd fripostIsStatusActive fripostOptionalMaildrop
+done | isOK '=rsd$' entry
+
+msg "Have =0 access on other domain attributes"
+for D in ${DOMAINS}; do
+    checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
+done | isOK 'none(=0)$' children
+
+msg "Can read and search the mailbox attributes it needs"
+for U in ${USERS}; do
+    checkACL "cn=SMTP" "${U}" entry objectClass fvu fripostIsStatusActive fripostOptionalMaildrop
+done | isOK '=rsd$' entry
+
+msg "Have =0 access on other mailbox attributes"
+for U in ${USERS}; do
+    checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostMailboxQuota description
+done | isOK 'none(=0)$' children
+
+msg "Can read and search the alias attributes it needs"
+for A in ${ALIASES}; do
+    checkACL "cn=SMTP" "${A}" entry objectClass fva fripostMaildrop fripostIsStatusActive
+done | isOK '=rsd$' entry
+
+msg "Have =0 access on other alias attributes"
+for A in ${ALIASES}; do
+    checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description
+done | isOK 'none(=0)$' children
+
+msg "Can read and search the list attributes it needs"
+for L in ${LISTS}; do
+    checkACL "cn=SMTP" "${L}" entry objectClass fvl fripostIsStatusActive fripostLocalAlias fripostIsStatusPending
+done | isOK '=rsd$' entry
+
+msg "Have =0 access on other list attributes"
+for L in ${LISTS}; do
+    checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description
+done | isOK 'none(=0)$' children
+
+msg "Can read and search the list command attributes it needs"
+for LC in ${LISTSC}; do
+    checkACL "cn=SMTP" "${LC}" entry objectClass fvlc fripostIsStatusActive fripostLocalAlias
+done | isOK '=rsd$' entry
+
+msg "Have =0 access on other list command attributes"
+for LC in ${LISTSC}; do
+    checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} 
+done | isOK 'none(=0)$' children
+
+
+###########################################################################
+
+echo
+echo "Service ListCreator"
+
+msg "Have =0 access on domain attributes"
+for D in ${DOMAINS}; do
+    checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
+done | isOK '=0$' entry
+
+msg "Have =0 access on mailbox attributes"
+for U in ${USERS}; do
+    checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description
+done | isOK '=0$' entry
+
+msg "Have =0 access on alias attributes"
+for A in ${ALIASES}; do
+    checkACL "cn=ListCreator" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
+done | isOK '=0$' entry
+
+msg "Have =zrd access on lists' pending status"
+for L in ${LISTS}; do
+    checkACL "cn=ListCreator" "${L}" fripostIsStatusPending
+done | isOK '=zrd$'
+
+msg "Have =rsd access on lists' entry attribute"
+for L in ${LISTS}; do
+    checkACL "cn=ListCreator" "${L}" entry
+done | isOK '=rsd$'
+
+msg "Have =a access on lists' children attribute"
+for L in ${LISTS}; do
+    checkACL "cn=ListCreator" "${L}" children
+done | isOK '=a$'
+
+msg "Have =0 access on other list attributes"
+for L in ${LISTS}; do
+    checkACL "cn=ListCreator" "${L}" ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description
+done | isOK '=0$' fvl
+
+msg "Have =a access on list commands' entry attribute"
+for LC in ${LISTSC}; do
+    checkACL "cn=ListCreator" "${LC}" entry
+done | isOK '=a$'
+
+msg "Have =0 access on other list command attributes"
+for LC in ${LISTSC}; do
+    checkACL "cn=ListCreator" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias
+done | isOK '=0$' children
+
+
+###########################################################################
+
+echo
+echo "Service AdminWebPanel"
+
+msg "Have =0 access on domain attributes"
+for D in ${DOMAINS}; do
+    checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
+done | isOK 'none(=0)$' entry
+
+msg "Have =0 access on mailbox attributes"
+for U in ${USERS}; do
+    checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description
+done | isOK 'none(=0)$' entry
+
+msg "Have =0 access on alias attributes"
+for A in ${ALIASES}; do
+    checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
+done | isOK 'none(=0)$' entry
+
+msg "Have =0 access on list attributes"
+for L in ${LISTS}; do
+    checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostIsStatusPending
+done | isOK 'none(=0)$' entry
+
+msg "Have =0 access on other list command attributes"
+for LC in ${LISTSC}; do
+    checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias
+done | isOK 'none(=0)$' entry
+
+if sudo -u fpanel klist >/dev/null; then
+    msg "Can SASL authenticate (GSSAPI)"
+    DN=$(echo "dn:cn=AdminWebPanel,${SUFFIXS}" | tr [A-Z] [a-z])
+    DN2=$(sudo -u fpanel ldapwhoami -Q | tr [A-Z] [a-z])
+    if [ "${DN}" = "${DN2}" ]; then echo ok; else echo fail; fi | isOK '^ok$'
+
+    msg "Can proxy authorize"
+    for U in ${USERS}; do
+        DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z])
+        DN2=$(sudo -u fpanel ldapwhoami -Q -X "${DN}" | tr [A-Z] [a-z])
+        if [ "${DN}" = "${DN2}" ]; then echo ok; else echo fail; fi
+    done | isOK '^ok$'
+else
+    echo "WARN: No valid ticket found. Didn't check SSAL authentication"
+fi
+
 rm "${RES}"
-- 
cgit v1.2.3