#!/bin/sh # This a test suite for the user ACLs. # *Every* modification to the schema and/or to the ACLs should be made # here too! It is crucial that the test suite doesn't break. # # Requires a populated database with every possible test case, like # `populate.ldif'. # The database remains unchanged, but slapacl needs to have read access, # so the test suite may have to be run by root. SLAPACL=/usr/sbin/slapacl SUFFIX="ou=virtual,o=mailHosting,dc=fripost,dc=dev" RES=$(tempfile) || exit 1 checkACL () { CMD=${SLAPACL} BIND="${1},${SUFFIX}" if [ -n "${1}" ]; then CMD="${CMD} -D ${BIND}"; fi if [ -n "${2}" ]; then BASE="${2},${SUFFIX}"; else BASE="${SUFFIX}"; fi shift; shift ${CMD} -b "${BASE}" "$@" 2>&1 | grep -vixF -e "authcDN: \"${BIND}\"" N=1 } msg () { /bin/echo -n " " /bin/echo -n "$@" /bin/echo -n "... " } isOK () { # Ensures that every line in "$RES" satisfies the regexp "$1". # The total count is the number of "$2" attributes, or the number of lines in "$RES". [ -n "${1}" ] || exit 1 cat > "${RES}" if [ -n "${2}" ]; then if [ -n "${3}" ]; then TOT=$(grep -Pic "^${3} access to ${2}: " < "${RES}") else TOT=$(grep -Pic "^((write|add|delete|read|search|compare|auth|disclose) access to )?${2}: " < "${RES}") fi else TOT=$(wc -l < "${RES}") fi FAILS=$(grep -vc "${1}" < "${RES}") if [ ${FAILS} -eq 0 ]; then /bin/echo -n "OK" else echo "Fail! (x${FAILS})"; exit 1 fi /bin/echo -n " (${TOT}/${TOT})" echo # We need a complete test suite ([ -n "${TOT}" ] && [ ${TOT} -ne 0 ]) || (echo "Add more test data."; exit 1) } search () { ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:// "$@" } ######################################################################## DOMAINS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualDomain" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+),.*/fvd=\1/') USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualMailbox" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/') ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/') LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/') ######################################################################## echo "Anonymous users:" # Anonymous need to bind to any fvu msg "Have =xd access to \"userPassword\" attributes" for U in ${USERS}; do checkACL "" "${U}" userPassword done | isOK 'auth(=xd)$' [ $? -eq 0 ] || exit $? msg "Have =0 access to the rest of user entries" for U in ${USERS}; do checkACL "" "${U}" done | grep -v '^userPassword=.*: auth(=xd)$' | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to alias entries" for A in ${ALIASES}; do checkACL "" "${A}" done | isOK '=0' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to list entries" for L in ${LISTS}; do checkACL "" "${L}" done | isOK '=0' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to domain entries" for D in ${DOMAINS}; do checkACL "" "${D}" done | isOK '=0' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to the base" checkACL "" "" | isOK '=0' entry [ $? -eq 0 ] || exit $? ########################################################################### echo echo "Authenticated users, access to the base" usersB () { for U in ${USERS}; do checkACL "${U}" "" "$@" done } msg "Have =s access on the base's \"entry\" attribute" usersB entry | isOK '=s' entry [ $? -eq 0 ] || exit $? # Needed to delete domains. They cannot create domains though, as they # would need =a on the "children" attribute. msg "Have =z access on the base's \"children\" attribute" usersB children | isOK '=z$' children [ $? -eq 0 ] || exit $? msg "Have =0 access to the operational attributes" usersB structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? ########################################################################### echo echo "Authenticated users, access to domain entries" # * entry: # =s-a for all # +rd if children, canCreate{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: # =w for all # * objectClass: # =s for all # * fvd: # =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostIsStatusActive # =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostCanCreateAlias # =rscd if canCreateAlias, owner or postmaster # +w if postmaster # * fripostCanCreateList # =rscd if canCreateList, owner or postmaster # +w if postmaster # * fripostOwner # =s for all # +d if children # +rc if canCreate{Alias,List}, owner or postmaster # * fripostPostmaster # =s for all # +d if children # +rc if canCreate{Alias,List}, owner or postmaster # * fripostOptionalMaildrop # =wrscd if owner or postmaster # * description # =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster usersD () { for U in ${USERS}; do for D in ${DOMAINS}; do checkACL "${U}" "${D}" "$@" done done } msg "Cannot appoint domain Owners or Postmasters; Cannot add a domain" usersD fripostOwner/add fripostOwner/delete \ fripostPostmaster/add fripostPostmaster/delete \ entry/add \ | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? # We ensure not to give +a/+z access to the \"entry\" attribute of the # children, unless justified (required to add/delete a child). msg "Have =w access to \"children\"" usersD children | isOK '=w$' children [ $? -eq 0 ] || exit $? msg "Have =s access to \"objectClass\"" usersD objectClass | isOK '=s' objectClass [ $? -eq 0 ] || exit $? msg "Have >=s access on \"entry\", \"fripostOwner\" and \"fripostPostmaster\"" usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to the operational attributes" usersD structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? # We check the following permissions: # 0. Simple user # 1. canCreateAlias (exact,wildcard) # 2. canCreateList (exact,wildcard) # 3. Owner # 4. Postmaster # 0 ATTRS0="entry/read entry/disclose fvd/read fvd/search fvd/compare fvd/disclose fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostOwner/disclose fripostPostmaster/disclose description/read description/search description/compare description/disclose" msg "Have >=rscd access to the public attributes of their parent" for U in ${USERS}; do D="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" checkACL "${U}" "${D}" ${ATTRS0} done | isOK 'ALLOWED$' entry read [ $? -eq 0 ] || exit $? # 1 ATTRSA="fripostOwner/read fripostOwner/compare fripostPostmaster/read fripostPostmaster/compare fripostCanCreateAlias/read fripostCanCreateAlias/search fripostCanCreateAlias/compare fripostCanCreateAlias/disclose" msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateAlias, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostCanCreateAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # 1 msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanCreateAlias, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostCanCreateAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # 2 ATTRSL="fripostOwner/read fripostOwner/compare fripostPostmaster/read fripostPostmaster/compare fripostCanCreateList/read fripostCanCreateList/search fripostCanCreateList/compare fripostCanCreateList/disclose" msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # 2 msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # 3 # >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and # "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and # Postmaster") msg "Have =wrscd to the domain attributes (other than \"canCreate\"), and >=w to \"children\" (if Owner)" ATTRSO="entry/delete fvd/write fripostIsStatusActive/write fripostOptionalMaildrop/delete fripostOptionalMaildrop/add fripostOptionalMaildrop/read fripostOptionalMaildrop/search fripostOptionalMaildrop/compare fripostOptionalMaildrop/disclose description/add description/delete" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # 4 # >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and # "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and # Postmaster") msg "Have =wrscd to the domain attributes, and >=w to \"children\" (if Postmaster)" ATTRSP="fripostCanCreateAlias/add fripostCanCreateAlias/delete fripostCanCreateList/add fripostCanCreateList/delete" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # not (0 or 1 or 2 or 3 or 4) msg "Have no access to the public attributes of irrelevant domains" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do [ "x${DU}" = "x${D}" ] || \ search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) (fripostCanCreateList=${U},${SUFFIX}) (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRS0} done done | isOK 'DENIED$' entry read [ $? -eq 0 ] || exit $? # not (1 or 2 or 3 or 4) msg "Do not have >=rc access to \"canCreate{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) (fripostCanCreateList=${U},${SUFFIX}) (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add done done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? # not (1 or 3 or 4) msg "Have =0 access to \"canCreateAlias\" (unless member, Owner, or Postmaster)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" fripostCanCreateAlias entry/add done done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? # not (2 or 3 or 4) msg "Have =0 access to \"canCreateList\" (unless member, Owner, or Postmaster)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" fripostCanCreateList entry/add done done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? # not (3 or 4) msg "Have =0 access to \"fripostOptionalMaildrop\" (unless Owner or Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRSO} done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? # not 4 msg "Do not have >=w access to \"canCreate{Alias,List}\" (unless Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRSP} entry/add done done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? ########################################################################### echo echo "Authenticated users, access to user entries" # * entry: # =rsd if account owner # +a if domain postmaster # * children: # =0 for all # * objectClass: # =s for all # * fvu: # =wrscd if account owner or domain postmaster # * userPassword: # =w if account owner or domain postmaster # * fripostIsStatusActive: # =wrscd if account owner or domain postmaster # * fripostMailboxQuota: # =rscd if account owner or domain postmaster # * fripostOptionalMaildrop: # =wrscd if account owner or domain postmaster # * description: # =wrscd if account owner or domain postmaster usersU () { for U in ${USERS}; do checkACL "${U}" "${U}" "$@" done } # They would need write access to their fripostMailboxQuota. # In practice they can't write fvu either, since it's single valued. msg "Have =rscxd access to their \"fripostMailboxQuota\"" usersU fripostMailboxQuota | isOK 'read(=rscxd)$' [ $? -eq 0 ] || exit $? msg "Have =wd access to their own \"userPassword\"" usersU userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their own entry" usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? msg "Have >=rsd access to the \"entry\" attribute of their own entry" usersU entry/read entry/search entry/disclose fvu/read \ | isOK 'ALLOWED$' fvu # fvu is useless here, but it's just to get the count [ $? -eq 0 ] || exit $? msg "Have =0 access to their \"children\" and operational attributes" usersU children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Have =s access to \"objectClass\"" usersD objectClass | isOK '=s' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access to other user entries (unless Postmaster)" for U1 in ${USERS}; do for U2 in ${USERS}; do D2="$(echo "${U2}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" [ "x${U1}" = "x${U2}" ] || \ search -s base -b "${D2},${SUFFIX}" "(fripostPostmaster=${U1},${SUFFIX})" | grep -q '^dn: ' || \ checkACL "${U1}" "${U2}" entry children \ fvu userPassword \ fripostIsStatusActive \ fripostMailboxQuota \ fripostOptionalMaildrop \ description done done | isOK '=0$' entry [ $? -eq 0 ] || exit $? usersP () { for P in ${USERS}; do for U in ${USERS}; do D="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" [ "x${U}" != "x${P}" ] && \ search -s base -b "${D},${SUFFIX}" "(fripostPostmaster=${P},${SUFFIX})" | grep -q '^dn: ' && \ checkACL "${P}" "${U}" "$@" done done } msg "Have =rscxd access to their user's \"fripostMailboxQuota\" (if Postmaster)" usersP fripostMailboxQuota | isOK 'read(=rscxd)$' [ $? -eq 0 ] || exit $? msg "Have =wd access to their user's \"userPassword\" (if Postmaster)" usersP userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)" usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? # "+a" is needed to create new accounts. "+z" would be required to # delete such accounts. msg "Have =arsd access to the \"entry\" attribute of their users' entry (if Postmaster)" usersP entry | isOK '=arsd$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to their users' \"children\" and operational attributes (if Postmaster)" usersP children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? ########################################################################### echo echo "Authenticated users, access to alias entries" # * entry: # =s for all # +a if canCreateAlias # +rd if alias owner, domain owner or domain postmaster # +z (regular alias) if alias owner # +w (regular alias) if domain owner or domain postmaster # * children: # =0 for all # * objectClass: # =s for all # * fva: # =rscd (reserved alias) if domain owner or domain postmaster # =wrscd (regular alias) if alias owner, domain owner or domain postmaster # * fripostMaildrop: # =wrscd if alias owner, domain owner or domain postmaster # * fripostIsStatusActive: # =rscd (reserved alias) if domain owner or domain postmaster # =wrscd (regular alias) if alias owner, domain owner or domain postmaster # * fripostOwner: # =d for all # +rsc (reserved alias) if domain owner or domain postmaster # +rsc (regular alias) if alias owner, domain owner or domain postmaster # +w (regular alias) if domain owner or domain postmaster # * description: # =wrscd if alias owner, domain owner or domain postmaster usersA () { for U in ${USERS}; do for A in ${ALIASES}; do checkACL "${U}" "${A}" "$@" done done } msg "Have >=s access to \"entry\" and \"fripostOwner\"" usersA fripostOwner/search entry/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to the \"children\" and operational attributes" usersA children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Have =s access to \"objectClass\"" usersD objectClass | isOK '=s' objectClass [ $? -eq 0 ] || exit $? RESERVED_ATTRS="entry/delete fva/write fripostIsStatusActive/write" RESERVED_ATTRS2="fripostOwner/add fripostOwner/delete" ATTRS="entry/read entry/disclose fva/read fva/search fva/compare fva/disclose fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/search description/compare description/disclose" msg "Cannot delete/deactivate/change ownership of reserved aliases" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" [ "x${LA}" = "xabuse" -o "x${LA}" = "xpostmaster" ] && \ checkACL "${U}" "${A}" ${RESERVED_ATTRS} done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? msg "Can delete/deactivate/change ownership of regular aliases (if alias Owner)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" ${RESERVED_ATTRS} done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Can delete/deactivate/change ownership of regular aliases (if domain Owner)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ search -s base -b "${DA},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2} done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Can delete/deactivate/change ownership of regular aliases (if domain Postmaster)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ search -s base -b "${DA},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2} done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Can change destination (if alias Owner)" for U in ${USERS}; do for A in ${ALIASES}; do search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" ${ATTRS} done done | isOK 'ALLOWED$' entry read [ $? -eq 0 ] || exit $? msg "Can change destination and create new aliases (if domain Owner)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" entry/add ${ATTRS} done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? msg "Can change destination and create new aliases (if domain Postmaster)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" entry/add ${ATTRS} done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) msg "Have >=a access to \"entry\" (if CanCreateAlias, exact)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "fripostCanCreateAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) msg "Have >=a access to \"entry\" (if CanCreateAlias, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "fripostCanCreateAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? msg "Do not have >=a access to \"entry\" (unless canCreateAlias)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${A}" entry/add done done | isOK 'DENIED$' entry add [ $? -eq 0 ] || exit $? msg "Cannot manage ownership (unless domain owner/domain postmaster)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${A}" ${RESERVED_ATTRS2} done done | isOK 'DENIED$' fripostOwner add [ $? -eq 0 ] || exit $? msg "Have no access to aliases entries (unless alias owner/domain owner/domain postmaster)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${ATTRS} done done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? ########################################################################### echo echo "Authenticated users, access to list entries" # * entry: # =s for all # +a if canCreateList, domain owner or domain postmaster # +zrd if list owner, domain owner or domain postmaster # * children: # =0 for all # * fvl: # =wrscd if list owner, domain owner or domain postmaster # * fripostListManager: # =rscd if list owner, domain owner or domain postmaster # * fripostIsStatusActive: # =wrscd if list owner, domain owner or domain postmaster # * fripostListCommand: # =rscd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all # +rsc if list owner, domain owner or domain postmaster # +w if domain owner or domain postmaster # * description: # =wrscd if list owner, domain owner or domain postmaster usersL () { for U in ${USERS}; do for L in ${LISTS}; do checkACL "${U}" "${L}" "$@" done done } msg "Have >=s access on \"entry\" and \"fripostOwner\"" usersL fripostOwner/search entry/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access the \"children\" and operational attributes" usersL children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Cannot change transport-related attributes" for U in ${USERS}; do for L in ${LISTS}; do checkACL "${U}" "${L}" fripostListCommand/add fripostListCommand/delete \ fripostListManager/write done done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? ATTRS="entry/read entry/disclose entry/delete fvl/write fvl/read fvl/search fvl/compare fvl/disclose fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostListCommand/read fripostListCommand/search fripostListCommand/compare fripostListCommand/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/compare description/disclose" ATTRS2="fripostOwner/add fripostOwner/delete" msg "Can edit/delete list (if list Owner)" for U in ${USERS}; do for L in ${LISTS}; do search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" ${ATTRS} done done | isOK 'ALLOWED$' entry delete [ $? -eq 0 ] || exit $? msg "Can edit/create/delete list (if domain Owner)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? msg "Can edit/create/delete list (if domain Postmaster)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) msg "Have >=a access to \"entry\" (if CanCreateList, exact)" for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) msg "Have >=a access to \"entry\" (if CanCreateList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Do not have >=a access to \"entry\" (unless canCreateList)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${L}" entry/add done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? msg "Cannot manage ownership (unless domain owner/domain postmaster)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${A}" ${ATTRS2} done done | isOK 'DENIED$' fripostOwner add [ $? -eq 0 ] || exit $? msg "Have no access to list entries (unless list owner/domain owner/domain postmaster)" for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${L}" ${ATTRS} entry/delete done done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? ########################################################################### rm "${RES}"