ITS#10313 Add a chaining test

2026-02-02 20:10:11 -05:00 · 2025-10-09 12:50:09 +01:00 · 2025-10-09 12:50:09 +01:00 · bbe436d012
commit bbe436d012
parent 6a28e8919d
1 changed files with 216 additions and 6 deletions
--- a/tests/scripts/test080-hotp
+++ b/tests/scripts/test080-hotp
@ -41,6 +41,8 @@ TOKEN_10=409144
 TOKEN_SHA512_11=17544155
 TOKEN_SHA512_12=48953477
 TOKEN_SHA512_13=94485071
+TOKEN_SHA512_14=72871903
+TOKEN_SHA512_15=93883960

 mkdir -p $TESTDIR $DBDIR1

@ -67,6 +69,7 @@ if test $WAIT != 0 ; then
    echo PID $PID
    read foo
 fi
+PROVIDERPID="$PID"
 KILLPIDS="$PID"

 sleep $SLEEP0
@ -132,7 +135,7 @@ RC=$?
 if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi

 echo "\ta valid and expected token..."
@ -162,7 +165,7 @@ RC=$?
 if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi

 echo "\tanother account sharing the same token..."
@ -182,7 +185,7 @@ RC=$?
 if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi

 echo "\tright token, wrong password..."
@ -192,7 +195,7 @@ RC=$?
 if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi

 echo "\tmaking sure previous token has been retired too..."
@ -202,7 +205,7 @@ RC=$?
 if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi

 echo "\tthe first token we tested that's just become valid..."
@ -239,7 +242,7 @@ RC=$?
 if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
-    exit $RC
+    exit 1
 fi

 echo "\ta valid and expected token..."
@ -275,6 +278,213 @@ if test $RC != 0 ; then
 	exit $RC
 fi

+if test "$BACKLDAP" != "ldapno" && test "$SYNCPROV" != "syncprovno"  ; then 
+echo ""
+echo "Setting up OTP state forwarding test..."
+
+mkdir $DBDIR2
+sed -e "s,$DBDIR1,$DBDIR2," < $CONF1 > $CONF2
+echo "Starting slapd consumer on TCP/IP port $PORT2..."
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+CONSUMERPID=$!
+if test $WAIT != 0 ; then
+    echo CONSUMERPID $CONSUMERPID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $CONSUMERPID"
+
+echo "Configuring syncprov on provider..."
+if [ "$SYNCPROV" = syncprovmod ]; then
+	$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: cn=module,cn=config
+objectclass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/overlays
+olcModuleLoad: syncprov.la
+
+EOF
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapadd failed for moduleLoad ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+fi
+
+$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: olcOverlay={1}syncprov,olcDatabase={1}$BACKEND,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: {1}syncprov
+
+EOF
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapadd failed for provider database config ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITOR" -H $URI2 \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting 5 seconds for slapd to start..."
+	sleep 5
+done
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+echo "Configuring syncrepl on consumer..."
+if [ "$BACKLDAP" = ldapmod ]; then
+	$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: cn=module,cn=config
+objectclass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/back-ldap
+olcModuleLoad: back_ldap.la
+
+EOF
+	RC=$?
+	if test $RC != 0 ; then
+		echo "ldapadd failed for moduleLoad ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+fi
+$LDAPMODIFY -D cn=config -H $URI2 -y $CONFIGPWF <<EOF >> $TESTOUT 2>&1
+dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcChainConfig
+olcOverlay: {0}chain
+
+dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
+changetype: add
+objectClass: olcLDAPConfig
+objectClass: olcChainDatabase
+olcDBURI: $URI1
+olcDbIDAssertBind: bindmethod=simple
+  binddn="cn=manager,dc=example,dc=com"
+  credentials=secret
+  mode=self
+
+dn: olcDatabase={1}$BACKEND,cn=config
+changetype: modify
+add: olcSyncrepl
+olcSyncrepl: rid=1
+  provider=$URI1
+  binddn="cn=manager,dc=example,dc=com"
+  bindmethod=simple
+  credentials=secret
+  searchbase="dc=example,dc=com"
+  type=refreshAndPersist
+  retry="3 5 300 5"
+-
+add: olcUpdateref
+olcUpdateref: $URI1
+-
+
+EOF
+RC=$?
+if test $RC != 0 ; then
+	echo "ldapmodify failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+if [ "$OTP" = otpmod ]; then
+$LDAPADD -D cn=config -H $URI2 -y $CONFIGPWF \
+    >> $TESTOUT 2>&1 <<EOMOD
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: $TESTWD/../servers/slapd/overlays
+olcModuleLoad: otp.la
+EOMOD
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapmodify failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+fi
+
+echo "Loading test otp configuration..."
+$LDAPMODIFY -v -D cn=config -H $URI2 -y $CONFIGPWF \
+    >> $TESTOUT 2>&1 <<EOMOD
+dn: olcOverlay={0}otp,olcDatabase={1}$BACKEND,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+EOMOD
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapmodify failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "Waiting for consumer to sync..."
+sleep $SLEEP1
+
+echo "Consumer+chaining tests:"
+
+echo "\tconsumer accepts a new token..."
+$LDAPWHOAMI -D "$BABSDN" -H $URI2 -w "bjensen$TOKEN_SHA512_14" \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+    echo "ldapwhoami failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
+echo "\ta used up token reached the provider..."
+$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_14" \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 49 ; then
+    echo "ldapwhoami should have failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit 1
+fi
+
+echo "Checking token status..."
+$LDAPCOMPARE -D "$MANAGERDN" -H $URI1 -w $PASSWD \
+    "ou=Information Technology Division,ou=People,dc=example,dc=com" \
+    oathHOTPCounter:14 \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 6 ; then
+	echo "ldapcompare failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+fi
+
+echo "Stopping provider..."
+kill -HUP $PROVIDERPID
+wait $PROVIDERPID
+KILLPIDS="$CONSUMERPID"
+
+echo "Testing that successful chaining is mandatory..."
+$LDAPWHOAMI -D "$BABSDN" -H $URI2 -w "bjensen$TOKEN_SHA512_15" \
+    >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 49 ; then
+    echo "ldapwhoami should have failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit 1
+fi
+
+fi
+
 test $KILLSERVERS != no && kill -HUP $KILLPIDS

 LDIF=$DATADIR/otp/test001-out.ldif