From 003fe1fdf96ae79bedb37e88f29beb9987503e19 Mon Sep 17 00:00:00 2001
From: smaguin <smaguin@localhost>
Date: Wed, 04 Jul 2007 12:16:06 +0000
Subject: [PATCH] add fingerprint mapper call loadBVaraibels function to load variables
---
opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml | 10
opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml | 730 +++++++++++++++++++++++++++++++-----------
opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml | 24
opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml | 51 +-
opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml | 22
opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml | 107 ++----
opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml | 21
7 files changed, 620 insertions(+), 345 deletions(-)
diff --git a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml
index 6b4d196..a01ef46 100755
--- a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml
+++ b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth.xml
@@ -44,49 +44,44 @@
<call function="'testSuite_Preamble'"/>
+ <import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
+ file="'%s/testcases/security/client_auth/client_auth_lib.xml' % (TESTS_DIR)" />
<import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
file="'%s/testcases/security/security_setup.xml' % (TESTS_DIR)"/>
<call function="'security_setup'"/>
<!-- client authentication setup -->
-
<import machine="'%s' % STAF_LOCAL_HOSTNAME"
file="'%s/testcases/security/client_auth/client_auth_setup.xml' % (TESTS_DIR)"/>
<call function="'client_auth_setup'" />
<!-- fingerprint certificates mapper -->
- <!--
<import machine="'%s' % STAF_LOCAL_HOSTNAME"
- file="'%s/testcases/security/client_auth/fingerprint.xml' % (TESTS_DIR)"/>
- <call function="'fingerprint'" />
- -->
+ file="'%s/testcases/security/client_auth/fingerprint_mapper.xml' % (TESTS_DIR)"/>
+ <call function="'fingerprint_mapper'" />
+
<!-- subject DN to user attribut certificate mapper -->
-
<import machine="'%s' % STAF_LOCAL_HOSTNAME"
file="'%s/testcases/security/client_auth/subject_dn_mapper.xml' % (TESTS_DIR)"/>
<call function="'subject_dn_mapper'" />
<!-- subject attribute to user attribut certificate mapper -->
-
<import machine="'%s' % STAF_LOCAL_HOSTNAME"
file="'%s/testcases/security/client_auth/subject_attribute_mapper.xml' % (TESTS_DIR)"/>
<call function="'subject_attribute_mapper'" />
- <!-- subject equals dn certificate mapper -->
-
+ <!-- subject equals dn certificate mapper -->
<import machine="'%s' % STAF_LOCAL_HOSTNAME"
file="'%s/testcases/security/client_auth/equal_dn_mapper.xml' % (TESTS_DIR)"/>
<call function="'equal_dn_mapper'" />
-
+
<!-- client authentication teardown -->
<import machine="'%s' % STAF_LOCAL_HOSTNAME"
file="'%s/testcases/security/client_auth/client_auth_teardown.xml' % (TESTS_DIR)"/>
- <call function="'client_auth_teardown'" />
-
-
+ <call function="'client_auth_teardown'" />
<import machine="'%s' % (STAF_LOCAL_HOSTNAME)"
file="'%s/testcases/security/security_cleanup.xml' % (TESTS_DIR)"/>
diff --git a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml
index 33146e7..112ca08 100755
--- a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml
+++ b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_setup.xml
@@ -50,22 +50,13 @@
<testcase name="'Security: client_auth: Setup. certificates configuration'">
<sequence>
- <script>
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- KEYPASS="password"
- STOREPASS="password"
- SERVER_KEYPASS="servercert"
- SERVER_STOREPASS="servercert"
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
- </script>
-
-
- <message>
- '---- Generating Server Certicate -----'
+
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
+ <message>
+ '---- Generating Server Certicate -----'
</message>
<!-- create a server certificate -->
@@ -115,9 +106,9 @@
<call function="'genCertificate'">
{ 'certAlias' : '%s' % USER_1_CERT,
'dname' : '%s' % (USER_1_DN),
- 'storepass' : '%s' % (STOREPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
- 'keypass' : '%s' % (KEYPASS),
+ 'keypass' : '%s' % (CLIENT_KEYPASS),
'storetype' : 'JKS' }
</call>
@@ -126,8 +117,8 @@
<call function="'SelfSignCertificate'">
{ 'certAlias' : '%s' % USER_1_CERT,
- 'storepass' : '%s' % (STOREPASS),
- 'keypass' : '%s' % (KEYPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
+ 'keypass' : '%s' % (CLIENT_KEYPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
'storetype' : 'JKS' }
</call>
@@ -138,9 +129,9 @@
<call function="'genCertificate'">
{ 'certAlias' : '%s' % USER_2_CERT,
'dname' : '%s' % (USER_2_DN),
- 'storepass' : '%s' % (STOREPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
- 'keypass' : '%s' % (KEYPASS),
+ 'keypass' : '%s' % (CLIENT_KEYPASS),
'storetype' : 'JKS' }
</call>
@@ -149,8 +140,8 @@
<call function="'SelfSignCertificate'">
{ 'certAlias' : '%s' % USER_2_CERT,
- 'storepass' : '%s' % (STOREPASS),
- 'keypass' : '%s' % (KEYPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
+ 'keypass' : '%s' % (CLIENT_KEYPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
'storetype' : 'JKS' }
</call>
@@ -176,32 +167,14 @@
<testcase name="'Security: client_auth: setup. Export and Import certificates'">
<sequence>
- <script>
-
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
-
- USER_1_CERT="client-cert-1"
- USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
- USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
- USER_2_CERT="client-cert-2"
- USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)
- USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)
-
- KEYPASS="password"
- STOREPASS="password"
- SERVER_KEYPASS="servercert"
- SERVER_STOREPASS="servercert"
- </script>
-
<call function="'testCase_Preamble'"/>
-
- <!-- Export the server Cert -->
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
+ <!-- Export the server Cert -->
<message>'---- Export the Server Certicate ----'</message>
@@ -218,7 +191,7 @@
<call function="'ExportCertificate'">
{ 'certAlias' : '%s' % USER_1_CERT,
'outputfile' : '%s' % (USER_1_CERT_FILE),
- 'storepass' : '%s' % (STOREPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
'storetype' : 'JKS' }
</call>
@@ -230,7 +203,7 @@
<call function="'ExportCertificate'">
{ 'certAlias' : '%s' % USER_1_CERT,
'outputfile' : '%s' % (USER_1_CERT_FILE_RFC),
- 'storepass' : '%s' % (STOREPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
'format' : 'rfc',
'storetype' : 'JKS' }
@@ -243,7 +216,7 @@
<call function="'ExportCertificate'">
{ 'certAlias' :'%s' % USER_2_CERT,
'outputfile' : '%s' % (USER_2_CERT_FILE),
- 'storepass' : '%s' % (STOREPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
'storetype' : 'JKS' }
</call>
@@ -255,7 +228,7 @@
<call function="'ExportCertificate'">
{ 'certAlias' :'%s' % USER_2_CERT,
'outputfile' : '%s' % (USER_2_CERT_FILE_RFC),
- 'storepass' : '%s' % (STOREPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
'format' : 'rfc',
'storetype' : 'JKS' }
@@ -270,7 +243,7 @@
<call function="'ImportCertificate'">
{ 'certAlias' : 'server-cert' ,
'inputfile' : '%s' % (SERVER_CERT_FILE),
- 'storepass' : '%s' % (STOREPASS),
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
'keystore' : '%s' % (CLIENT_KEYSTORE),
'storetype' : 'JKS' }
</call>
@@ -320,6 +293,11 @@
<sequence>
<call function="'testCase_Preamble'"/>
+
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
<!-- Configure SSL-->
<message>
@@ -452,27 +430,12 @@
<sequence>
<call function="'testCase_Preamble'"/>
+
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
<!-- Create users entries-->
- <script>
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
-
- USER_1_CERT="client-cert-1"
- USER_1_CERT_FILE="%s/client_cert_1.txt" % (CERT_TMP)
- USER_1_CERT_FILE_RFC="%s/client_cert_1_rfc.txt" % (CERT_TMP)
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
- USER_2_CERT="client-cert-2"
- USER_2_CERT_FILE_RFC="%s/client_cert_2_rfc.txt" % (CERT_TMP)
- USER_2_CERT_FILE="%s/client_cert_2.txt" % (CERT_TMP)
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- SERVER_CERT_FILE="%s/server_cert.txt" % (CERT_TMP)
-
- user1LdifFileName='user1_cert.ldif'
- user2LdifFileName='user2_cert.ldif'
- remoteUser1LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user1LdifFileName)
- remoteUser2LdifFile='%s/../%s/%s' % (dsPath,relativeDataDir,user2LdifFileName)
- localUser1LdifFile='%s/%s' % (logsTempDir,user1LdifFileName)
- localUser2LdifFile='%s/%s' % (logsTempDir,user2LdifFileName)
- </script>
<!-- Create USER_1_DN -->
<message> '---- Create User entry : %s----' % USER_1_DN</message>
diff --git a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml
index 694f5e0..d4280fa 100755
--- a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml
+++ b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/client_auth_teardown.xml
@@ -61,13 +61,9 @@
<sequence>
<call function="'testCase_Preamble'"/>
- <script>
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- </script>
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
<!--- Unconfigure SSL -->
diff --git a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml
index 254d349..3e12a24 100755
--- a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml
+++ b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/equal_dn_mapper.xml
@@ -85,19 +85,13 @@
<testcase name="'Security: client_auth: Equal DN mapping '">
<sequence>
- <script>
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- STOREPASS="password"
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
- </script>
<call function="'testCase_Preamble'"/>
-
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
<!-- Check mapping is working -->
<message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
@@ -107,7 +101,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -134,7 +128,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
@@ -162,7 +156,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -189,7 +183,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
diff --git a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml
index 44e5f89..b7fbe48 100755
--- a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml
+++ b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/fingerprint_mapper.xml
@@ -62,7 +62,7 @@
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : 'cn=EXTERNAL,cn=SASL Mechanisms,cn=config',
'attributeName' : 'ds-cfg-certificate-mapper-dn',
- 'newAttributeValue' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
+ 'newAttributeValue' : 'cn=Fingerprint Mapper,cn=Certificate Mappers,cn=config',
'changetype' : 'replace' }
</call>
@@ -72,79 +72,139 @@
<!---
-#@TestMarker Subject DN mapping to default user attribut
-#@TestName Mapping on ds-certificated-subject-dn attribute
+#@TestMarker FingerPrint certificate mapper
+#@TestName FingerPrint certificate mapper
#@TestIssue
-#@TestPurpose Use the Subject DN to User Attribute certificate mapper
-#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
-#@TestPurpose The mapping will be done on the default attribut ds-certificate-subject-dn
+#@TestPurpose Use the FingerPrint certificate mapper
+#@TestPurpose Map the MD5 or SHA1 of the provided certificate to a specified attribute in user entries
+#@TestPurpose The mapping will be done on the default attribute ds-certificate-fingerprint
#@TestStep Two users entries are used to validate this mapper
-#@TestStep USER_1_DN contains an attribute ds-certifcated-subject-dn with the subject of the USER_1_CERT client certificate
-#@TestStep USER_2_DN contains an attribute ds-certificate-subject-dn with an invalid value
-#@TestStep The certificate mapping will work only with the USER_1_CERT client certificate
+#@TestStep USER_1_DN contains an attribute ds-certificate-fingerprint with the subject of the MD5 fingerprint of USER_1_CERT client certificate
+#@TestStep USER_2_DN contains an attribute ds-certificate-fingerprint with the subject of the SHA1 fingerprint of USER_2_CERT client certificate
+#@TestStep change the mapper to map on SHA1 fingerprint
#@TestPreamble none
#@TestPostamble none
#@TestResult Success if OpenDS returns 0 for all operations
-->
- <testcase name="'Security: client_auth: subject dn mapping on ds-certificate-subject-dn'">
+ <testcase name="'Security: client_auth: fingerprint mapping on ds-certificate-fingerprint attribute'">
<sequence>
- <script>
-
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- STOREPASS="password"
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
- </script>
<call function="'testCase_Preamble'"/>
-
- <message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
- <message>'----- ds-certificate-subject-dn is the subject of the certificate %s '% USER_1_CERT</message>
-
+
+
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
+
+ <!-- get the fingerprint for USER_1_CERT -->
+ <call function="'getFingerprint'">
+ { 'certAlias' : '%s' % USER_1_CERT,
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE) }
+ </call>
+
+ <script>
+ STAXCode = RC
+ certificateResult = STAXResult[0][1]
+ </script>
+ <script>
+ string_len=len(certificateResult)
+ index_MD5=certificateResult.find("MD5:")
+ index_SHA1=certificateResult.find("SHA1:")
+ MD5_fingerprint_cert1=certificateResult[index_MD5+5:index_SHA1].strip()
+ SHA1_fingerprint_cert1=certificateResult[index_SHA1+5:string_len].strip()
+ </script>
+
+ <message>'MD5 fingerprint for %s is : %s ' % (USER_1_CERT,MD5_fingerprint_cert1)</message>
+ <message>'SHA1 fingerprint for %s is : %s ' % (USER_1_CERT,SHA1_fingerprint_cert1)</message>
+
+
+ <!-- get the fingerprint for USER_2_CERT -->
+ <call function="'getFingerprint'">
+ { 'certAlias' : '%s' % USER_2_CERT,
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE) }
+ </call>
+
+ <script>
+ STAXCode = RC
+ certificateResult = STAXResult[0][1]
+ </script>
+ <script>
+ string_len=len(certificateResult)
+ index_MD5=certificateResult.find("MD5:")
+ index_SHA1=certificateResult.find("SHA1:")
+ MD5_fingerprint_cert2=certificateResult[index_MD5+5:index_SHA1].strip()
+ SHA1_fingerprint_cert2=certificateResult[index_SHA1+5:string_len].strip()
+ </script>
+
+ <message>'MD5 fingerprint for %s is : %s ' % (USER_2_CERT,MD5_fingerprint_cert2)</message>
+ <message>'SHA1 fingerprint for %s is : %s ' % (USER_2_CERT,SHA1_fingerprint_cert2)</message>
+
+ <!-- Configure the mapper to map MD5 -->
+ <script>
+ listAttr = []
+ listAttr.append('ds-cfg-certificate-fingerprint-attribute-type:ds-certificate-fingerprint')
+ listAttr.append('ds-cfg-certificate-fingerprint-algorithm:MD5')
+ </script>
+
+ <message>'----- Configure the mapper to map MD5 fingerprint '</message>
+
<call function="'modifyAnAttribute'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
- 'DNToModify' : USER_1_DN,
- 'attributeName' : 'ds-certificate-subject-dn',
- 'newAttributeValue' : USER_1_DN,
- 'changetype' : 'add' }
+ 'DNToModify' : 'cn=Fingerprint Mapper,cn=Certificate Mappers,cn=config',
+ 'listAttributes' : listAttr,
+ 'changetype' : 'replace' }
</call>
+ <!-- configure the user entries -->
+ <message>'----- Configure the attribute ds-certificate-fingerprint for user %s ---' % USER_1_DN</message>
+ <message>'----- ds-certificate-fingerprint is the MD5 fingerprint of the certificate %s ' % USER_1_CERT</message>
+
-
- <message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
- <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
-
-
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'ds-certificate-fingerprint',
+ 'newAttributeValue' : MD5_fingerprint_cert1,
+ 'changetype' : 'add' }
+ </call>
+
+
+ <message> '----- Configure the attribute ds-certificate-fingerprint for user %s ---' % USER_2_DN</message>
+ <message>'------ ds-certificate-fingerprint is the SHA1 fingerprint of the certificate %s ' % USER_2_CERT</message>
+
<call function="'modifyAnAttribute'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : USER_2_DN,
- 'attributeName' : 'ds-certificate-subject-dn',
- 'newAttributeValue' : 'uid=bad-certificate',
+ 'attributeName' : 'ds-certificate-fingerprint',
+ 'newAttributeValue' : SHA1_fingerprint_cert2,
'changetype' : 'add' }
- </call>
-
-
+ </call>
<!-- Check mapping is working -->
<message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
<!-- bound as USER_1_DN -->
+
+
<call function="'ldapSearchWithScript'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -166,12 +226,13 @@
</call>
<!-- No bound expected -->
+
<call function="'ldapSearchWithScript'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
@@ -181,17 +242,19 @@
'dsScope' : 'base',
'expected' : 49 }
</call>
-
+
<message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
<!-- bound as USER_1_DN -->
+
+
<call function="'ldapSearchWithScript'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -218,7 +281,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
@@ -229,123 +292,437 @@
'expected' : 49 }
</call>
-
- <!-- Restore initial users configuration -->
-
- <call function="'modifyAnAttribute'">
- { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
- 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
- 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
- 'DNToModify' : USER_1_DN,
- 'attributeName' : 'ds-certificate-subject-dn',
- 'newAttributeValue' : USER_1_DN,
- 'changetype' : 'delete'}
- </call>
+ <!-- Configure the mapper to map SHA1 fingerprint -->
+ <message>'----- Configure the mapper to map SHA1 fingerprint '</message>
+ <script>
+ listAttr = []
+ listAttr.append('ds-cfg-certificate-fingerprint-attribute-type:ds-certificate-fingerprint')
+ listAttr.append('ds-cfg-certificate-fingerprint-algorithm:SHA1')
+ </script>
+
<call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=Fingerprint Mapper,cn=Certificate Mappers,cn=config',
+ 'listAttributes' : listAttr,
+ 'changetype' : 'replace' }
+ </call>
+
+
+<!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- No bound expected -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_2__DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+ <!-- Restore initial users configuration -->
+
+
+ <call function="'modifyAnAttribute'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
- 'DNToModify' : USER_2_DN,
- 'attributeName' : 'ds-certificate-subject-dn',
- 'newAttributeValue' : 'uid=bad-certificate',
- 'changetype' : 'delete'}
- </call>
-
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'ds-certificate-fingerprint',
+ 'newAttributeValue' : MD5_fingerprint_cert1,
+ 'changetype' : 'delete' }
+ </call>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'ds-certificate-fingerprint',
+ 'newAttributeValue' : SHA1_fingerprint_cert2,
+ 'changetype' : 'delete' }
+ </call>
+
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
+
+
<!---
-#@TestMarker Subject DN mapping to the user attribute's description
-#@TestName Mapping on the attribute description
+#@TestMarker FingerPrint certificate mapper
+#@TestName FingerPrint certificate mapper
#@TestIssue
-#@TestPurpose Use the Subject DN to User Attribute certificate mapper
-#@TestPurpose Map the subject of a client certificate and a specified attribute in user entries
+#@TestPurpose Use the FingerPrint certificate mapper to map on attribute description
+#@TestPurpose Map the MD5 or SHA1 of the provided certificate to a specified attribute in user entries
#@TestPurpose The mapping will be done on the attribute description
#@TestStep Two users entries are used to validate this mapper
-#@TestStep USER_1_DN doesn't contains attribute description
-#@TestStep USER_2_DN contains an attribute description with the USER_2_CERT client certificate
+#@TestStep USER_1_DN contains an attribute ds-certificate-fingerprint with the subject of the SHA1 fingerprint of USER_1_CERT client certificate
+#@TestStep USER_2_DN contains an attribute ds-certificate-fingerprint with the subject of the MD5 fingerprint of USER_2_CERT client certificate
+#@TestStep change the mapper to map on SHA1 fingerprint
#@TestPreamble none
#@TestPostamble none
#@TestResult Success if OpenDS returns 0 for all operations
- -->
+ -->
- <testcase name="'Security: client_auth: subject dn mapping on attribut description'">
+ <testcase name="'Security: client_auth: fingerprint mapping on description attribute'">
<sequence>
- <script>
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- KEYPASS="servercert"
- STOREPASS="password"
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
-
- </script>
-
<call function="'testCase_Preamble'"/>
+
- <message>'----- Configure the mapping to be done on the attribute description' </message>
-
- <call function="'modifyAnAttribute'">
- { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
- 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
- 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
- 'DNToModify' : 'cn=Subject DN to User Attribute,cn=Certificate Mappers,cn=config',
- 'attributeName' : 'ds-cfg-certificate-subject-attribute-type',
- 'newAttributeValue' : 'description',
- 'changetype' : 'replace' }
- </call>
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
+
+ <!-- get the fingerprint for USER_1_CERT -->
+ <call function="'getFingerprint'">
+ { 'certAlias' : '%s' % USER_1_CERT,
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE) }
+ </call>
+
+ <script>
+ STAXCode = RC
+ certificateResult = STAXResult[0][1]
+ </script>
+ <script>
+ string_len=len(certificateResult)
+ index_MD5=certificateResult.find("MD5:")
+ index_SHA1=certificateResult.find("SHA1:")
+ MD5_fingerprint_cert1=certificateResult[index_MD5+5:index_SHA1].strip()
+ SHA1_fingerprint_cert1=certificateResult[index_SHA1+5:string_len].strip()
+ </script>
- <message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
+
+ <message>'MD5 fingerprint for %s is : %s ' % (USER_1_CERT,MD5_fingerprint_cert1)</message>
+ <message>'SHA1 fingerprint for %s is : %s ' % (USER_1_CERT,SHA1_fingerprint_cert1)</message>
+
+
+
+ <!-- get the fingerprint for USER_2_CERT -->
+ <call function="'getFingerprint'">
+ { 'certAlias' : '%s' % USER_2_CERT,
+ 'storepass' : '%s' % (CLIENT_STOREPASS),
+ 'keystore' : '%s' % (CLIENT_KEYSTORE) }
+ </call>
+
+ <script>
+ STAXCode = RC
+ certificateResult = STAXResult[0][1]
+ </script>
+ <script>
+ string_len=len(certificateResult)
+ index_MD5=certificateResult.find("MD5:")
+ index_SHA1=certificateResult.find("SHA1:")
+ MD5_fingerprint_cert2=certificateResult[index_MD5+5:index_SHA1].strip()
+ SHA1_fingerprint_cert2=certificateResult[index_SHA1+5:string_len].strip()
+ </script>
+
+
+ <message>'MD5 fingerprint for %s is : %s ' % (USER_2_CERT,MD5_fingerprint_cert2)</message>
+ <message>'SHA1 fingerprint for %s is : %s ' % (USER_2_CERT,SHA1_fingerprint_cert2)</message>
+
+ <!-- Configure the mapper to map MD5 -->
+ <message>'----- Configure the mapper to map MD5 fingerprint on the attribute description'</message>
+
+ <!-- Configure the mapper to map MD5 -->
+ <script>
+ listAttr = []
+ listAttr.append('ds-cfg-certificate-fingerprint-attribute-type:description')
+ listAttr.append('ds-cfg-certificate-fingerprint-algorithm:MD5')
+ </script>
+
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=Fingerprint Mapper,cn=Certificate Mappers,cn=config',
+ 'listAttributes' : listAttr,
+ 'changetype' : 'replace' }
+ </call>
+
+ <!-- configure the user entries -->
+ <message>'----- Configure the attribute description for user %s ---' % USER_1_DN</message>
+ <message>'----- description is the MD5 fingerprint of the certificate %s ' % USER_1_CERT</message>
+
+
<call function="'modifyAnAttribute'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
- 'DNToModify' : USER_1_DN,
- 'attributeName' : 'description',
- 'newAttributeValue' : 'bad_cert',
- 'changetype' : 'add' }
- </call>
-
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : MD5_fingerprint_cert1,
+ 'changetype' : 'add' }
+ </call>
- <message> '----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_2_DN</message>
- <message>'------ ds-certificate-subject-dn contains an invalid DN'</message>
+ <message> '----- Configure the attribute description for user %s ---' % USER_2_DN</message>
+ <message>'------ description is the SHA1 fingerprint of the certificate %s ' % USER_2_CERT</message>
+
<call function="'modifyAnAttribute'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : USER_2_DN,
- 'attributeName' : 'description',
- 'newAttributeValue' : USER_2_DN,
- 'changetype' : 'add' }
- </call>
-
+ 'attributeName' : 'description',
+ 'newAttributeValue' : SHA1_fingerprint_cert2,
+ 'changetype' : 'add' }
+ </call>
+
+ <!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- No bound expected -->
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_1_DN -->
+
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_1_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_1_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseStartTLS' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base',
+ 'expected' : 49 }
+ </call>
+
+ <!-- Configure the mapper to map SHA1 fingerprint -->
+ <message>'----- Configure the mapper to map SHA1 fingerprint on the attributes description'</message>
+ <script>
+ listAttr = []
+ listAttr.append('ds-cfg-certificate-fingerprint-attribute-type:description')
+ listAttr.append('ds-cfg-certificate-fingerprint-algorithm:SHA1')
+ </script>
+
-
-
- <!-- Check mapping is working -->
- <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'cn=Fingerprint Mapper,cn=Certificate Mappers,cn=config',
+ 'listAttributes' : listAttr,
+ 'changetype' : 'replace' }
+ </call>
- <!-- No mapping expected -->
+
+<!-- Check mapping is working -->
+ <message>'--- Check SSL communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_2_DN -->
+ <call function="'ldapSearchWithScript'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
+ 'dsFilter' : 'objectclass=*' ,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseSSL' : ' ',
+ 'dsUseSASLExternal' : ' ',
+ 'dsCertNickname' : USER_2_CERT,
+ 'dsTrustStorePath' : CLIENT_KEYSTORE,
+ 'dsKeyStorePath' : CLIENT_KEYSTORE,
+ 'dsReportAuthzID' : ' ',
+ 'dsScope' : 'base' }
+ </call>
+
+ <script>
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
+ </script>
+ <call function="'CheckMatches'">
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+ <!-- No bound expected -->
<call function="'ldapSearchWithScript'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -353,18 +730,20 @@
'dsKeyStorePath' : CLIENT_KEYSTORE,
'dsReportAuthzID' : ' ',
'dsScope' : 'base',
- 'expected' : 49 }
+ 'expected' : 49 }
</call>
+
-
- <!-- bound as USER_2_DN -->
- <call function="'ldapSearchWithScript'">
+ <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
+
+ <!-- bound as USER_2__DN -->
+ <call function="'ldapSearchWithScript'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
- 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
- 'dsUseSSL' : ' ',
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
+ 'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
'dsTrustStorePath' : CLIENT_KEYSTORE,
@@ -372,27 +751,25 @@
'dsReportAuthzID' : ' ',
'dsScope' : 'base' }
</call>
-
+
<script>
- STAXCode = RC
- ldapSearchResult = STAXResult[0][1]
+ STAXCode = RC
+ ldapSearchResult = STAXResult[0][1]
</script>
<call function="'CheckMatches'">
- { 'string2find' : USER_2_DN ,
- 'mainString' : ldapSearchResult ,
- 'nbExpected' : 1
- }
- </call>
-
- <message>'--- Check StartTLS communication with SASL EXTERNAL authentication'</message>
-
- <!-- No mapping expected -->
+ { 'string2find' : USER_2_DN ,
+ 'mainString' : ldapSearchResult ,
+ 'nbExpected' : 1
+ }
+ </call>
+
+
<call function="'ldapSearchWithScript'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -400,70 +777,39 @@
'dsKeyStorePath' : CLIENT_KEYSTORE,
'dsReportAuthzID' : ' ',
'dsScope' : 'base',
- 'expected' : 49 }
+ 'expected' : 49 }
</call>
-
-
- <!-- bound as USER_2_DN -->
- <call function="'ldapSearchWithScript'">
- { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
- 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
- 'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
- 'dsUseStartTLS' : ' ',
- 'dsUseSASLExternal' : ' ',
- 'dsCertNickname' : USER_2_CERT,
- 'dsTrustStorePath' : CLIENT_KEYSTORE,
- 'dsKeyStorePath' : CLIENT_KEYSTORE,
- 'dsReportAuthzID' : ' ',
- 'dsScope' : 'base' }
- </call>
-
- <script>
- STAXCode = RC
- ldapSearchResult = STAXResult[0][1]
- </script>
- <call function="'CheckMatches'">
- { 'string2find' : USER_2_DN ,
- 'mainString' : ldapSearchResult ,
- 'nbExpected' : 1
- }
- </call>
-
-
- <!-- Restore initial users configuration -->
+
+ <!-- Restore initial users configuration -->
<call function="'modifyAnAttribute'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
- 'DNToModify' : USER_1_DN,
- 'attributeName' : 'description',
- 'newAttributeValue' : 'bad_cert',
- 'changetype' : 'delete'}
- </call>
-
-
-
- <call function="'modifyAnAttribute'">
- { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
- 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
- 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
- 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
- 'DNToModify' : USER_2_DN,
- 'attributeName' : 'description',
- 'newAttributeValue' : USER_2_DN,
- 'changetype' : 'delete'}
- </call>
-
-
+ 'DNToModify' : USER_1_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : MD5_fingerprint_cert1,
+ 'changetype' : 'delete' }
+ </call>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : USER_2_DN,
+ 'attributeName' : 'description',
+ 'newAttributeValue' : SHA1_fingerprint_cert2,
+ 'changetype' : 'delete' }
+ </call>
+
+
<call function="'testCase_Postamble'"/>
</sequence>
- </testcase>
-
+ </testcase>
+
</sequence>
</function>
diff --git a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml
index 57b805c..10056ee 100755
--- a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml
+++ b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_attribute_mapper.xml
@@ -95,19 +95,13 @@
<testcase name="'Security: client_auth: subject attribute mapping'">
<sequence>
- <script>
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
-
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- STOREPASS="password"
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
- </script>
<call function="'testCase_Preamble'"/>
-
+
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
<message>
'---- Configure the Subject Attribute to User Attribute mapper -----'
</message>
@@ -166,7 +160,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -193,7 +187,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
@@ -214,7 +208,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -241,7 +235,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
diff --git a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml
index c8ee2d6..f9daae2 100755
--- a/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml
+++ b/opendj-sdk/opends/tests/functional-tests/testcases/security/client_auth/subject_dn_mapper.xml
@@ -50,7 +50,7 @@
<sequence>
<call function="'testCase_Preamble'"/>
-
+
<message>
'---- Configure the SASL EXTERNAL mechanism -----'
</message>
@@ -89,19 +89,14 @@
<testcase name="'Security: client_auth: subject dn mapping on ds-certificate-subject-dn'">
<sequence>
- <script>
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
-
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- STOREPASS="password"
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
- </script>
<call function="'testCase_Preamble'"/>
-
+
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
+
<message>'----- Configure the attribute ds-certificate-subject-dn for user %s ---' % USER_1_DN</message>
<message>'----- ds-certificate-subject-dn is the subject of the certificate %s '% USER_1_CERT</message>
@@ -144,7 +139,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -171,7 +166,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
@@ -191,7 +186,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -218,7 +213,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
@@ -277,21 +272,13 @@
<testcase name="'Security: client_auth: subject dn mapping on attribut description'">
<sequence>
- <script>
- USER_1_CERT="client-cert-1"
- USER_1_DN="uid=%s,%s" % (USER_1_CERT,DIRECTORY_INSTANCE_SFX)
-
- USER_2_CERT="client-cert-2"
- USER_2_DN="uid=%s,%s" % (USER_2_CERT,DIRECTORY_INSTANCE_SFX)
- KEYPASS="servercert"
- STOREPASS="password"
- CERT_TMP="%s/CERT_%s" % (DIRECTORY_INSTANCE_DIR,DIRECTORY_INSTANCE_PORT)
- CLIENT_KEYSTORE="%s/keystore" % (CERT_TMP)
-
- </script>
<call function="'testCase_Preamble'"/>
+ <!-- Load in the local shared python objects from libraries -->
+ <call function="'loadVariables'">
+ </call>
+
<message>'----- Configure the mapping to be done on the attribute description' </message>
<call function="'modifyAnAttribute'">
@@ -345,7 +332,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -363,7 +350,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseSSL' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
@@ -392,7 +379,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_1_CERT,
@@ -410,7 +397,7 @@
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsBaseDN' : DIRECTORY_INSTANCE_SFX,
'dsFilter' : 'objectclass=*' ,
- 'dsKeyStorePassword' : STOREPASS,
+ 'dsKeyStorePassword' : CLIENT_STOREPASS,
'dsUseStartTLS' : ' ',
'dsUseSASLExternal' : ' ',
'dsCertNickname' : USER_2_CERT,
--
Gitblit v1.10.0