xref: /netbsd-src/external/bsd/openldap/dist/contrib/slapd-modules/variant/tests/scripts/test006-acl (revision e670fd5c413e99c2f6a37901bb21c537fcd322d2)

#! /bin/sh
## $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2016-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
##
## ACKNOWLEDGEMENTS:
## This module was written in 2016 by Ondřej Kuzník for Symas Corp.

case "$BACKEND" in ldif | null)
	echo "$BACKEND backend does not support access controls, test skipped"
	exit 0
esac

echo "running defines.sh"
. $SRCDIR/scripts/defines.sh

CONF=$ACLCONF
. ${SCRIPTDIR}/common.sh

echo "Applying test-specific configuration..."
. $CONFFILTER $BACKEND $MONITORDB < data/test006-config.ldif | \
$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF \
	>> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
	$TESTOUT 2>&1 << EOMODS
dn: ou=Add & Delete,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
ou: Add & Delete

dn: cn=group,ou=Add & Delete,dc=example,dc=com
changetype: add
objectclass: groupOfNames
member: dc=example,dc=com

dn: sn=Doe,ou=Add & Delete,dc=example,dc=com
changetype: add
objectclass: OpenLDAPperson
cn: John
uid: jd

dn: sn=Elliot,ou=Add & Delete,dc=example,dc=com
changetype: add
objectclass: OpenLDAPperson
cn: Mark
uid: me
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "Testing search ACL processing..."

echo "# Try to read an entry inside the Alumni Association container.
# It should give us noSuchObject if we're not bound..." \
>> $SEARCHOUT
# FIXME: temporarily remove the "No such object" message to make
# the test succeed even if SLAP_ACL_HONOR_DISCLOSE is not #define'd
$LDAPSEARCH -b "$MELLIOTDN" -H $URI1 "(objectclass=*)" \
	2>&1 | grep -v "No such object" >> $SEARCHOUT

echo >>$SEARCHOUT
echo "# ... and should return appropriate attributes if we're bound as anyone
# under Example." \
>> $SEARCHOUT
$LDAPSEARCH -b "$MELLIOTDN" -H $URI1 \
	-D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1

$LDAPSEARCH -b "$MELLIOTDN" -H $URI1 \
	-D "$BJORNSDN" -w bjorn "(objectclass=*)" >> $SEARCHOUT 2>&1

echo >>$SEARCHOUT
echo "# Add & Delete subtree contents as seen by Babs" >> $SEARCHOUT
$LDAPSEARCH -b "ou=Add & Delete,dc=example,dc=com" -H $URI1 \
	-D "$BABSDN" -w bjensen "(objectclass=*)" >> $SEARCHOUT 2>&1

echo >>$SEARCHOUT
echo "# Add & Delete subtree contents as seen by Bjorn" >> $SEARCHOUT
$LDAPSEARCH -b "ou=Add & Delete,dc=example,dc=com" -H $URI1 \
	-D "$BJORNSDN" -w bjorn "(objectclass=*)" >> $SEARCHOUT 2>&1

echo "Testing modifications..."
echo "... ACL on the alternative entry"
$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: seealso
seealso: $BJORNSDN
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
changetype: modify
add: description
description: added by bjensen (should fail)
EOMODS
RC=$?
case $RC in
50)
	;;
0)
	echo "ldapmodify should have failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit -1
	;;
*)
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
	;;
esac

$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: seealso
seealso: $BABSDN
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=Alumni Assoc Staff, ou=Groups, dc=example, dc=com
changetype: modify
add: description
description: added by bjorn (removed later)
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=Group,ou=Add & Delete,dc=example,dc=com
changetype: modify
delete: description
description: added by bjorn (removed later)
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=Added by Bjorn,ou=Add & Delete,dc=example,dc=com
changetype: add
objectClass: inetOrgPerson
sn: Jensen
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=Group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: description
description: another one added by bjorn (should succeed)
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

echo "... ACL on the variant entry"
$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=Group,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: description
description: added by bjensen (should fail)
EOMODS
RC=$?
case $RC in
50)
	;;
0)
	echo "ldapmodify should have failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit -1
	;;
*)
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
	;;
esac

$LDAPMODIFY -D "$BJORNSDN" -H $URI1 -w bjorn >> \
	$TESTOUT 2>&1 << EOMODS
dn: sn=Doe,ou=Add & Delete,dc=example,dc=com
changetype: modify
add: description
description: added by bjorn (will be removed)
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

$LDAPMODIFY -D "$BABSDN" -H $URI1 -w bjensen >> \
	$TESTOUT 2>&1 << EOMODS
dn: cn=Added by Bjorn,ou=Add & Delete,dc=example,dc=com
changetype: modify
replace: description
description: added by bjensen (should fail)
EOMODS
RC=$?
case $RC in
50)
	;;
0)
	echo "ldapmodify should have failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit -1
	;;
*)
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
	;;
esac

$LDAPMODIFY -D "$JAJDN" -H $URI1 -w jaj >> \
	$TESTOUT 2>&1 << EOMODS
dn: sn=Elliot,ou=Add & Delete,dc=example,dc=com
changetype: modify
delete: description
description: added by bjorn (will be removed)
-
add: description
description: added by jaj (should succeed)
EOMODS
RC=$?
if test $RC != 0 ; then
	echo "ldapmodify failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

sleep $SLEEP0

echo >>$SEARCHOUT
echo "Using ldapsearch to retrieve all the entries..."
echo "# Using ldapsearch to retrieve all the entries..." >> $SEARCHOUT
$LDAPSEARCH -S "" -b "ou=Add & Delete,dc=example,dc=com" \
	-D "$MANAGERDN" -H $URI1 -w $PASSWD \
	'objectClass=*' >> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	exit $RC
fi

test $KILLSERVERS != no && kill -HUP $KILLPIDS

LDIF=data/test006-out.ldif

echo "Filtering ldapsearch results..."
$LDIFFILTER -s e < $SEARCHOUT > $SEARCHFLT
echo "Filtering expected entries..."
$LDIFFILTER -s e < $LDIF > $LDIFFLT
echo "Comparing filter output..."
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT

if test $? != 0 ; then
	echo "comparison failed - operations did not complete correctly"
	exit 1
fi

echo ">>>>> Test succeeded"

test $KILLSERVERS != no && wait

exit 0