From 2b01b8dd56bf944ae41c170ba54a823626174f4a Mon Sep 17 00:00:00 2001 From: Ryan Tandy Date: Mon, 23 Mar 2020 17:37:20 -0700 Subject: [PATCH] ITS#6035 Create test script --- configure.in | 2 + tests/run.in | 3 +- tests/scripts/defines.sh | 1 + tests/scripts/test076-authid-rewrite | 626 +++++++++++++++++++++++++++ 4 files changed, 631 insertions(+), 1 deletion(-) create mode 100755 tests/scripts/test076-authid-rewrite diff --git a/configure.in b/configure.in index c4f9dbe3dd..0bbce5af37 100644 --- a/configure.in +++ b/configure.in @@ -529,6 +529,7 @@ SLAPD_LIBS= BUILD_SLAPD=no +BUILD_REWRITE=no BUILD_THREAD=no BUILD_SLAPI=no @@ -3043,6 +3044,7 @@ AC_SUBST(WITH_SASL) AC_SUBST(WITH_TLS) AC_SUBST(WITH_MODULES_ENABLED) AC_SUBST(WITH_ACI_ENABLED) +AC_SUBST(BUILD_REWRITE) AC_SUBST(BUILD_THREAD) AC_SUBST(BUILD_LIBS_DYNAMIC) diff --git a/tests/run.in b/tests/run.in index 0d82bfba1f..1f010d396e 100644 --- a/tests/run.in +++ b/tests/run.in @@ -59,6 +59,7 @@ AC_WITH_TLS=@WITH_TLS@ AC_TLS_TYPE=@WITH_TLS_TYPE@ AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@ AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@ +AC_REWRITE=@BUILD_REWRITE@ AC_THREADS=threads@BUILD_THREAD@ AC_LIBS_DYNAMIC=lib@BUILD_LIBS_DYNAMIC@ @@ -77,7 +78,7 @@ export AC_ldap AC_mdb AC_meta AC_asyncmeta AC_monitor AC_null AC_relay AC_sql \ AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \ AC_valsort \ AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \ - AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE + AC_REWRITE AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE if test ! -x ../servers/slapd/slapd ; then echo "Could not locate slapd(8)" diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh index 883a1fcfe3..1d6c2b3f13 100755 --- a/tests/scripts/defines.sh +++ b/tests/scripts/defines.sh @@ -51,6 +51,7 @@ WITH_TLS=${AC_WITH_TLS-no} WITH_TLS_TYPE=${AC_TLS_TYPE-no} ACI=${AC_ACI_ENABLED-acino} +REWRITE=${AC_REWRITE-no} THREADS=${AC_THREADS-threadsno} SLEEP0=${SLEEP0-1} SLEEP1=${SLEEP1-7} diff --git a/tests/scripts/test076-authid-rewrite b/tests/scripts/test076-authid-rewrite new file mode 100755 index 0000000000..0ebba43f08 --- /dev/null +++ b/tests/scripts/test076-authid-rewrite @@ -0,0 +1,626 @@ +#! /bin/sh +# $OpenLDAP$ +## This work is part of OpenLDAP Software . +## +## Copyright 1998-2020 The OpenLDAP Foundation. +## All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted only as authorized by the OpenLDAP +## Public License. +## +## A copy of this license is available in the file LICENSE in the +## top-level directory of the distribution or, alternatively, at +## . + +echo "running defines.sh" +. $SRCDIR/scripts/defines.sh + +if test $WITH_SASL = no; then + echo "SASL authentication not available, test skipped" + exit 0 +fi + +CONFDIR=$TESTDIR/slapd.d + +mkdir -p $TESTDIR $CONFDIR $DBDIR1 + +$SLAPPASSWD -g -n >$CONFIGPWF + +echo "Starting slapd on TCP/IP port $PORT1... $PWD" +. $CONFFILTER $BACKEND $MONITORDB < $DYNAMICCONF > $CONFLDIF +$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF +cd $TESTDIR +$SLAPD -F ./slapd.d -h $URI1 -d $LVL $TIMING > $LOG1 2>&1 & +PID=$! +if test $WAIT != 0 ; then + echo PID $PID + read foo +fi +KILLPIDS="$PID" +cd $TESTWD + +sleep 1 + +echo "Using ldapsearch to check that slapd is running..." +for i in 0 1 2 3 4 5; do + $LDAPSEARCH -s base -b "" -H $URI1 \ + 'objectclass=*' > /dev/null 2>&1 + RC=$? + if test $RC = 0 ; then + break + fi + echo "Waiting 5 seconds for slapd to start..." + sleep 5 +done + +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Adding schema and database..." +$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +include: file://$ABS_SCHEMADIR/core.ldif + +include: file://$ABS_SCHEMADIR/cosine.ldif + +include: file://$ABS_SCHEMADIR/inetorgperson.ldif + +include: file://$ABS_SCHEMADIR/openldap.ldif + +include: file://$ABS_SCHEMADIR/nis.ldif +EOF +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed for schema config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +if [ "$BACKENDTYPE" = mod ]; then + $LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND +olcModuleLoad: back_$BACKEND.la +EOF + RC=$? + if test $RC != 0 ; then + echo "ldapadd failed for backend config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +fi + +$LDAPADD -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: olcDatabase={1}$BACKEND,cn=config +objectClass: olcDatabaseConfig +objectClass: olc${BACKEND}Config +olcDatabase: {1}$BACKEND +olcSuffix: $BASEDN +olcDbDirectory: $DBDIR1 +olcRootDN: $MANAGERDN +olcRootPW: $PASSWD +EOF +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed for database config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +if test $INDEXDB = indexdb ; then + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: olcDatabase={1}$BACKEND,cn=config +changetype: modify +add: olcDbIndex +olcDbIndex: objectClass,entryUUID,entryCSN eq +olcDbIndex: cn,uid pres,eq,sub +EOF + RC=$? + if test $RC != 0 ; then + echo "ldapmodify failed for index config ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi +fi + +echo "Using ldapadd to populate the database..." +$LDAPADD -H $URI1 -D "$MANAGERDN" -w $PASSWD < $LDIFORDERED >>$TESTOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapadd failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Adding olcAuthzRegexp rule for static mapping..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthzRegexp +olcAuthzRegexp: uid=manager,cn=[^,]+,cn=auth $MANAGERDN +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Adding olcAuthzRegexp rule to search by uid..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthzRegexp +olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1) +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Inserting olcAuthzRegexp rule before the last..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthzRegexp +olcAuthzRegexp: {1}uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen) +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w bjensen +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Deleting the first olcAuthzRegexp rule..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthzRegexp +olcAuthzRegexp: {0} +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=Manager +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD +RC=$? +if test $RC != 49; then + echo "ldapwhoami unexpected result ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w bjensen +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Updating an olcAuthzRegexp rule in place..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthzRegexp +olcAuthzRegexp: {0} +- +add: olcAuthzRegexp +olcAuthzRegexp: {0}uid=biff,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjorn) +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=babs +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w bjensen +RC=$? +if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=biff +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w bjorn +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID +RC=$? +if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +echo "Deleting all olcAuthzRegexp rules..." +$LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthzRegexp +EOF +RC=$? +if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +ID=bjensen +echo "Testing ldapwhoami as $ID (should fail)..." +$LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID +RC=$? +if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo + +if test $REWRITE = yes; then + echo "Initializing olcAuthIDRewrite engine..." + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: rewriteEngine ON +olcAuthIDRewrite: rewriteContext authid +EOF + RC=$? + if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo + + echo "Adding olcAuthIDRewrite rule for static mapping..." + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: rewriteRule uid=manager,cn=[^,]+,cn=auth $MANAGERDN : +EOF + RC=$? + if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=Manager + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo + + echo "Adding olcAuthIDRewrite rule to search by uid..." + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: rewriteRule uid=([^,]+),cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=\$1) : +EOF + RC=$? + if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=Manager + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=bjensen + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo + + echo "Inserting olcAuthIDRewrite rule before the last..." + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +add: olcAuthIDRewrite +olcAuthIDRewrite: {3}rewriteRule uid=babs,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjensen) : +EOF + RC=$? + if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=Manager + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=babs + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w bjensen + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=bjensen + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo + + echo "Deleting the first olcAuthIDRewrite rule..." + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthIDRewrite +olcAuthIDRewrite: {2} +EOF + RC=$? + if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=Manager + echo "Testing ldapwhoami as $ID (should fail)..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $PASSWD + RC=$? + if test $RC != 49; then + echo "ldapwhoami unexpected result ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=babs + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w bjensen + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=bjensen + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo + + echo "Updating an olcAuthIDRewrite rule in place..." + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthIDRewrite +olcAuthIDRewrite: {2} +- +add: olcAuthIDRewrite +olcAuthIDRewrite: {2}rewriteRule uid=biff,cn=[^,]+,cn=auth ldap:///$BASEDN??sub?(uid=bjorn) : +EOF + RC=$? + if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=babs + echo "Testing ldapwhoami as $ID (should fail)..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w bjensen + RC=$? + if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=biff + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w bjorn + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=bjensen + echo "Testing ldapwhoami as $ID..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID + RC=$? + if test $RC != 0; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo + + echo "Deleting all olcAuthIDRewrite rules..." + $LDAPMODIFY -H $URI1 -D cn=config -y $CONFIGPWF <>$TESTOUT 2>&1 +dn: cn=config +changetype: modify +delete: olcAuthIDRewrite +EOF + RC=$? + if test $RC != 0; then + echo "ldapmodify failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + ID=bjensen + echo "Testing ldapwhoami as $ID (should fail)..." + $LDAPSASLWHOAMI -H $URI1 -U $ID -w $ID + RC=$? + if test $RC != 49; then + echo "ldapwhoami failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC + fi + + echo + +else + echo "librewrite not enabled, skipping olcAuthIDRewrite tests" +fi + +test $KILLSERVERS != no && kill -HUP $KILLPIDS + +echo ">>>>> Test succeeded" + +test $KILLSERVERS != no && wait + +exit 0