From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Wed, 19 Jun 2019 16:47:32 +0000 (+0200)
Subject: [PATCH] ITS#9038 Update test028 to test this is enforced
X-Git-Tag: archive/raspbian/2.4.47+dfsg-3+rpi1+deb10u3^2~7
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=91ad478ab455b802610e2acacb8a32547b8e190d;p=openldap.git

[PATCH] ITS#9038 Update test028 to test this is enforced


Gbp-Pq: Name ITS-9038-Update-test028-to-test-this-is-enforced.patch
---

diff --git a/tests/data/idassert.out b/tests/data/idassert.out
index 53d76bb2..fa51c25d 100644
--- a/tests/data/idassert.out
+++ b/tests/data/idassert.out
@@ -4,6 +4,11 @@ objectClass: dcObject
 o: Example, Inc.
 dc: example
 
+dn: cn=Manager,o=Example,c=US
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+
 dn: ou=People,o=Example,c=US
 objectClass: organizationalUnit
 ou: People
diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
index ca674304..6efd40c6 100644
--- a/tests/data/slapd-idassert.conf
+++ b/tests/data/slapd-idassert.conf
@@ -36,6 +36,7 @@ argsfile	@TESTDIR@/slapd.1.args
 #######################################################################
 
 authz-policy	both
+authz-regexp	"^uid=manager,.+" "cn=Manager,dc=example,dc=com"
 authz-regexp	"^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
 authz-regexp	"^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
 authz-regexp	"^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif
index 063d6ec4..3ccbd1a2 100644
--- a/tests/data/test-idassert1.ldif
+++ b/tests/data/test-idassert1.ldif
@@ -4,6 +4,12 @@ objectClass: dcObject
 o: Example, Inc.
 dc: example
 
+dn: cn=Manager,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: Manager
+sn: Parson
+userPassword: secret
+
 dn: ou=People,dc=example,dc=com
 objectClass: organizationalUnit
 ou: People
diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
index 198d45b1..b163629f 100755
--- a/tests/scripts/test028-idassert
+++ b/tests/scripts/test028-idassert
@@ -191,6 +191,17 @@ if test $RC != 0 ; then
 	exit $RC
 fi
 
+AUTHZID="u:it/jaj"
+echo "Checking another DB's rootdn can't assert identity from another DB..."
+$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
+
+RC=$?
+if test $RC != 1 ; then
+    echo "ldapwhoami should have failed ($RC)!"
+    test $KILLSERVERS != no && kill -HUP $KILLPIDS
+    exit $RC
+fi
+
 ID="uid=jaj,ou=People,dc=example,dc=it"
 BASE="o=Example,c=US"
 echo "Testing ldapsearch as $ID for \"$BASE\"..."
@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then
 		exit $RC
 	fi
 
+	ID="manager"
+	AUTHZID="u:it/jaj"
+	echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
+	$LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \
+		-Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
+
+	RC=$?
+	if test $RC != 50 ; then
+		echo "ldapwhoami should have failed ($RC)!"
+		test $KILLSERVERS != no && kill -HUP $KILLPIDS
+		exit $RC
+	fi
+
 	echo "Filtering ldapsearch results..."
 	$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
 	echo "Filtering original ldif used to create database..."