From 12e81808d4160bc5ef9d56b885ea1bd00dd4d697 Mon Sep 17 00:00:00 2001
From: ugaston <ugaston@localhost>
Date: Fri, 09 Jan 2009 17:40:19 +0000
Subject: [PATCH] Add set of SSF testcases to SASL test suite
---
opendj-sdk/opends/tests/staf-tests/shared/functions/ldap.xml | 2
opendj-sdk/opends/tests/staf-tests/functional-tests/testcases/security/sasl/security_sasl_digest-md5.xml | 451 ++++++++++++++++++++++++++++++++++++++++++++++++++
opendj-sdk/opends/tests/staf-tests/shared/java/ldap/saslSearchClient.java | 32 +++
3 files changed, 481 insertions(+), 4 deletions(-)
diff --git a/opendj-sdk/opends/tests/staf-tests/functional-tests/testcases/security/sasl/security_sasl_digest-md5.xml b/opendj-sdk/opends/tests/staf-tests/functional-tests/testcases/security/sasl/security_sasl_digest-md5.xml
index a2a49ab..c8aec40 100755
--- a/opendj-sdk/opends/tests/staf-tests/functional-tests/testcases/security/sasl/security_sasl_digest-md5.xml
+++ b/opendj-sdk/opends/tests/staf-tests/functional-tests/testcases/security/sasl/security_sasl_digest-md5.xml
@@ -3098,6 +3098,372 @@
</testcase>
+ <!--- Test case: Admin remove global read access ACI -->
+ <!---
+ Place test-specific test information here.
+ The tag, TestMarker, must be the same as the tag, TestSuiteName.
+ #@TestMarker SASL DIGEST-MD5 Tests
+ #@TestName Remove global ACI
+ #@TestIssue
+ #@TestPurpose Admin remove global read acces ACI for
+ ssf bind rule tests
+ #@TestPreamble none
+ #@TestStep dsconfig call to remove global aci
+ #@TestPostamble none
+ #@TestResult Success if operation successful and posterior
+ search returns no entry.
+ -->
+ <testcase name=
+ "getTestCaseName('DIGEST-MD5 - Remove global ACI')">
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+ <message>
+ 'Security: SASL DIGEST-MD5: Remove global ACI'
+ </message>
+
+ <message>
+ 'Delete global search ACI'
+ </message>
+
+ <script>
+ global_aci="(targetattr!=\"userPassword||authPassword\")(version 3.0; acl \"Anonymous read access\"; allow (read,search,compare) userdn=\"ldap:///anyone\";)"
+ </script>
+
+ <call function="'modifyGlobalAci'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'aciValue' : global_aci ,
+ 'opType' : 'remove'
+ }
+ </call>
+
+ <message>
+ 'Make sure read access is not granted (no entries returned).'
+ </message>
+
+ <script>
+ test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com'
+ </script>
+ <call function="'SearchObject'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : test_user,
+ 'dsInstancePswd' : 'newleg' ,
+ 'dsBaseDN' : 'dc=example,dc=com' ,
+ 'dsFilter' : 'objectclass=*'
+ }
+ </call>
+
+ <script>
+ returnString = STAXResult[0][1]
+ </script>
+
+ <call function="'searchStringForSubstring'">
+ { 'returnString' : returnString ,
+ 'testString' : 'dn: uid=tmorris,ou=People'
+ }
+ </call>
+
+ <if expr="returnCode != '0'">
+ <tcstatus result="'fail'"/>
+ </if>
+
+ <call function="'testCase_Postamble'"/>
+
+ </sequence>
+ </testcase>
+
+ <!---
+ Place test-specific test information here.
+ The tag, TestMarker, must be the same as the tag, TestSuiteName.
+ #@TestMarker SASL DIGEST-MD5 Tests
+ #@TestName SSF {ssf=1 ; qop=confidentiality}
+ #@TestIssue
+ #@TestPurpose Test the ssf bind rule
+ #@TestPreamble none
+ #@TestStep Add ssf bind rule aci: ssf = "1"
+ #@TestStep SASL bind with confidentiality
+ #@TestPostamble none
+ #@TestResult Success if sasl bind succeeds but access is
+ NOT granted.
+ -->
+ <testcase name=
+ "getTestCaseName('DIGEST-MD5 - SSF {ssf=1 ; qop=confidentiality}')">
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+ <message>
+ 'Security: SASL DIGEST-MD5: SSF {ssf=1 ; qop=confidentialiy}'
+ </message>
+
+
+ <message>
+ 'Adding ACI with ssf bind rule: ssf = 1'
+ </message>
+
+ <script>
+ ssf_aci="(targetattr=\"*\")(version 3.0; acl \"ssf-aci\"; allow (read,search,compare) userdn=\"ldap:///anyone\" and ssf = \"1\";)"
+ </script>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'o=SASL Tests,dc=example,dc=com' ,
+ 'attributeName' : 'aci' ,
+ 'newAttributeValue' : ssf_aci ,
+ 'changetype' : 'replace'
+ }
+ </call>
+
+
+ <script>
+ test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com'
+ </script>
+ <call function="'saslSearch'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
+ 'dsBaseDN' : 'dc=example,dc=com',
+ 'dsScope' : 'sub',
+ 'dsFilter' : 'objectclass=*',
+ 'mechanism' : 'DIGEST-MD5',
+ 'authenticationId' : 'dn:%s' % test_user,
+ 'password' : 'newleg',
+ 'protection' : 'auth-conf'
+ }
+ </call>
+
+ <script>
+ returnString = STAXResult[0][1]
+ </script>
+
+ <message>
+ 'Search result: %s' % returnString
+ </message>
+
+ <call function="'searchStringForSubstring'">
+ { 'returnString' : returnString,
+ 'testString' : 'uid=tmorris,ou=People'
+ }
+ </call>
+
+ <if expr="returnCode != '0'">
+ <tcstatus result="'fail'"/>
+ </if>
+
+ <call function="'testCase_Postamble'"/>
+
+ </sequence>
+ </testcase>
+
+
+ <!--- Test case: Admin set qop=integrity -->
+ <!---
+ Place test-specific test information here.
+ The tag, TestMarker, must be the same as the tag, TestSuiteName.
+ #@TestMarker SASL DIGEST-MD5 Tests
+ #@TestName Re-Set qop = integrity
+ #@TestIssue
+ #@TestPurpose Admin set QOP in SASL DIGEST-MD5 mechanism.
+ #@TestPreamble none
+ #@TestStep ldapmodify used to set qop.
+ #@TestPostamble none
+ #@TestResult Success if OpenDS returns 0.
+ -->
+ <testcase name=
+ "getTestCaseName('DIGEST-MD5 - Re-Set QOP = integrity')">
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+ <message>
+ 'Security: SASL DIGEST-MD5: Re-Set QOP = integrity'
+ </message>
+
+ <call function="'modifySaslMech'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
+ 'handlerName' : 'DIGEST-MD5',
+ 'propertyName' : 'quality-of-protection',
+ 'propertyValue' : 'integrity'
+ }
+ </call>
+
+ <call function="'testCase_Postamble'"/>
+
+ </sequence>
+ </testcase>
+
+
+ <!---
+ Place test-specific test information here.
+ The tag, TestMarker, must be the same as the tag, TestSuiteName.
+ #@TestMarker SASL DIGEST-MD5 Tests
+ #@TestName SSF {ssf=1 ; qop=integrity}
+ #@TestIssue
+ #@TestPurpose Test the ssf bind rule
+ #@TestPreamble none
+ #@TestStep Add ssf bind rule aci: ssf = "1"
+ #@TestStep SASL bind with integrity
+ #@TestPostamble none
+ #@TestResult Success if sasl bind succeeds and access is
+ granted.
+ -->
+ <testcase name=
+ "getTestCaseName('DIGEST-MD5 - SSF {ssf=1 ; qop=integrity}')">
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+ <message>
+ 'Security: SASL DIGEST-MD5: SSF {ssf=1 ; qop=integrity}'
+ </message>
+
+
+ <message>
+ 'Adding ACI with ssf bind rule: ssf = 1'
+ </message>
+
+ <script>
+ ssf_aci="(targetattr=\"*\")(version 3.0; acl \"ssf-aci\"; allow (read,search,compare) userdn=\"ldap:///anyone\" and ssf = \"1\";)"
+ </script>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'o=SASL Tests,dc=example,dc=com' ,
+ 'attributeName' : 'aci' ,
+ 'newAttributeValue' : ssf_aci ,
+ 'changetype' : 'replace'
+ }
+ </call>
+
+
+ <script>
+ test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com'
+ </script>
+ <call function="'saslSearch'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
+ 'dsBaseDN' : 'dc=example,dc=com',
+ 'dsScope' : 'sub',
+ 'dsFilter' : 'objectclass=*',
+ 'mechanism' : 'DIGEST-MD5',
+ 'authenticationId' : 'dn:%s' % test_user,
+ 'password' : 'newleg',
+ 'protection' : 'auth-int'
+ }
+ </call>
+
+ <script>
+ returnString = STAXResult[0][1]
+ </script>
+
+ <message>
+ 'Search result: %s' % returnString
+ </message>
+
+ <call function="'searchStringForSubstring'">
+ { 'returnString' : returnString,
+ 'testString' : 'uid=tmorris,ou=People'
+ }
+ </call>
+
+ <if expr="returnCode != '1'">
+ <tcstatus result="'fail'"/>
+ </if>
+
+ <call function="'testCase_Postamble'"/>
+
+ </sequence>
+ </testcase>
+
+
+ <!---
+ Place test-specific test information here.
+ The tag, TestMarker, must be the same as the tag, TestSuiteName.
+ #@TestMarker SASL DIGEST-MD5 Tests
+ #@TestName SSF {ssf>40 ; qop=integrity}
+ #@TestIssue
+ #@TestPurpose Test the ssf bind rule
+ #@TestPreamble none
+ #@TestStep Add ssf bind rule aci: ssf > "40"
+ #@TestStep SASL bind with integrity
+ #@TestPostamble none
+ #@TestResult Success if sasl bind succeeds but access is
+ NOT granted.
+ -->
+ <testcase name=
+ "getTestCaseName('DIGEST-MD5 - SSF {ssf>40 ; qop=integrity}')">
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+ <message>
+ 'Security: SASL DIGEST-MD5: SSF {ssf>40 ; qop=integrity}'
+ </message>
+
+
+ <message>
+ 'Adding ACI with ssf bind rule: ssf > 40'
+ </message>
+
+ <script>
+ ssf_aci="(targetattr=\"*\")(version 3.0; acl \"ssf-aci\"; allow (read,search,compare) userdn=\"ldap:///anyone\" and ssf > \"40\";)"
+ </script>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'o=SASL Tests,dc=example,dc=com' ,
+ 'attributeName' : 'aci' ,
+ 'newAttributeValue' : ssf_aci ,
+ 'changetype' : 'replace'
+ }
+ </call>
+
+
+ <script>
+ test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com'
+ </script>
+ <call function="'saslSearch'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
+ 'dsBaseDN' : 'dc=example,dc=com',
+ 'dsScope' : 'sub',
+ 'dsFilter' : 'objectclass=*',
+ 'mechanism' : 'DIGEST-MD5',
+ 'authenticationId' : 'dn:%s' % test_user,
+ 'password' : 'newleg',
+ 'protection' : 'auth-int'
+ }
+ </call>
+
+ <script>
+ returnString = STAXResult[0][1]
+ </script>
+
+ <message>
+ 'Search result: %s' % returnString
+ </message>
+
+ <call function="'searchStringForSubstring'">
+ { 'returnString' : returnString,
+ 'testString' : 'uid=tmorris,ou=People'
+ }
+ </call>
+
+ <if expr="returnCode != '0'">
+ <tcstatus result="'fail'"/>
+ </if>
+
+ <call function="'testCase_Postamble'"/>
+
+ </sequence>
+ </testcase>
+
+
+
<!--- Test case: Admin unset qop -->
<!---
Place test-specific test information here.
@@ -3134,6 +3500,91 @@
</sequence>
</testcase>
+
+ <!---
+ Place test-specific test information here.
+ The tag, TestMarker, must be the same as the tag, TestSuiteName.
+ #@TestMarker SASL DIGEST-MD5 Tests
+ #@TestName SSF {ssf=1 ; qop=none}
+ #@TestIssue
+ #@TestPurpose Test the ssf bind rule
+ #@TestPreamble none
+ #@TestStep Add ssf bind rule aci: ssf = "1"
+ #@TestStep SASL bind with no qop
+ #@TestPostamble none
+ #@TestResult Success if sasl bind succeeds but access is
+ NOT granted.
+ -->
+ <testcase name=
+ "getTestCaseName('DIGEST-MD5 - SSF {ssf=1 ; qop=none}')">
+ <sequence>
+ <call function="'testCase_Preamble'"/>
+ <message>
+ 'Security: SASL DIGEST-MD5: SSF {ssf=1 ; qop=none}'
+ </message>
+
+
+ <message>
+ 'Adding ACI with ssf bind rule: ssf = 1'
+ </message>
+
+ <script>
+ ssf_aci="(targetattr=\"*\")(version 3.0; acl \"ssf-aci\"; allow (read,search,compare) userdn=\"ldap:///anyone\" and ssf = \"1\";)"
+ </script>
+
+ <call function="'modifyAnAttribute'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
+ 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
+ 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
+ 'DNToModify' : 'o=SASL Tests,dc=example,dc=com' ,
+ 'attributeName' : 'aci' ,
+ 'newAttributeValue' : ssf_aci ,
+ 'changetype' : 'replace'
+ }
+ </call>
+
+
+ <script>
+ test_user = 'uid=test-user, ou=People, o=SASL Tests, dc=example,dc=com'
+ </script>
+ <call function="'saslSearch'">
+ { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST,
+ 'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
+ 'dsBaseDN' : 'dc=example,dc=com',
+ 'dsScope' : 'sub',
+ 'dsFilter' : 'objectclass=*',
+ 'mechanism' : 'DIGEST-MD5',
+ 'authenticationId' : 'dn:%s' % test_user,
+ 'password' : 'newleg',
+ 'protection' : 'auth'
+ }
+ </call>
+
+ <script>
+ returnString = STAXResult[0][1]
+ </script>
+
+ <message>
+ 'Search result: %s' % returnString
+ </message>
+
+ <call function="'searchStringForSubstring'">
+ { 'returnString' : returnString,
+ 'testString' : 'uid=tmorris,ou=People'
+ }
+ </call>
+
+ <if expr="returnCode != '0'">
+ <tcstatus result="'fail'"/>
+ </if>
+
+ <call function="'testCase_Postamble'"/>
+
+ </sequence>
+ </testcase>
+
+
<!--- Test case: DIGEST-MD5 SASL Mechanism -->
<!---
diff --git a/opendj-sdk/opends/tests/staf-tests/shared/functions/ldap.xml b/opendj-sdk/opends/tests/staf-tests/shared/functions/ldap.xml
index 7f1e9fd..6b721ad 100755
--- a/opendj-sdk/opends/tests/staf-tests/shared/functions/ldap.xml
+++ b/opendj-sdk/opends/tests/staf-tests/shared/functions/ldap.xml
@@ -3399,7 +3399,7 @@
</call>
<return>
- [RC,STAXResult]
+ STAXResult
</return>
</sequence>
diff --git a/opendj-sdk/opends/tests/staf-tests/shared/java/ldap/saslSearchClient.java b/opendj-sdk/opends/tests/staf-tests/shared/java/ldap/saslSearchClient.java
index fb54766..2846360 100644
--- a/opendj-sdk/opends/tests/staf-tests/shared/java/ldap/saslSearchClient.java
+++ b/opendj-sdk/opends/tests/staf-tests/shared/java/ldap/saslSearchClient.java
@@ -37,6 +37,9 @@
import javax.naming.CommunicationException;
import javax.naming.directory.InvalidSearchFilterException;
import javax.security.sasl.AuthenticationException;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.SearchResult;
+import javax.naming.directory.SearchControls;
import java.util.HashSet;
import java.util.Iterator;
@@ -57,9 +60,9 @@
// Ldapsearch parameters
String hostname = null;
String ldapPort = null;
- String scope = null;
String basedn = null;
String filter = null;
+ int scope;
// SASL options
@@ -80,6 +83,8 @@
Hashtable envLdap = new Hashtable();
LdapContext ctx = null;
+ SearchControls searchControls = null;
+ NamingEnumeration results = null;
@@ -95,7 +100,16 @@
ldapPort = val1;
}
if (opt1.equals("-s")) {
- scope = val1;
+ if (val1.equals("base")) {
+ scope = SearchControls.OBJECT_SCOPE;
+ } else if (opt1.equals("one")) {
+ scope = SearchControls.ONELEVEL_SCOPE;
+ } else {
+ // default scope: "sub"
+ scope = SearchControls.SUBTREE_SCOPE;
+ }
+ searchControls = new SearchControls();
+ searchControls.setSearchScope(scope);
}
if (opt1.equals("-b")) {
basedn = val1;
@@ -178,7 +192,7 @@
ctx = new InitialLdapContext(envLdap, null);
// issue ldapsearch
- ctx.search(basedn, filter, null);
+ results = ctx.search(basedn, filter, searchControls);
ctx.close();
} catch (CommunicationException e1) {
@@ -229,6 +243,18 @@
}
}
+ try {
+ if ((errorCode.equals("0")) && (results != null)) {
+ while (results.hasMore()) {
+ SearchResult searchResult = (SearchResult) results.next();
+ System.out.println(searchResult.toString());
+ }
+ results.close();
+ }
+ } catch (NamingException ne) {
+ ne.printStackTrace();
+ }
+
int RC = Integer.parseInt(errorCode);
System.exit(RC);
}
--
Gitblit v1.10.0