From dd62baf63ccc35db4b4a98abbf91d64d23326c84 Mon Sep 17 00:00:00 2001
From: pgamba <pgamba@localhost>
Date: Fri, 30 Nov 2007 09:18:10 +0000
Subject: [PATCH] Fix 2319 - protect acces to dc=replicationChanges by default Description dc=replicationChanges is enabled by default on all the replication servers and show all the modifications done on all replicated suffixes. It may therefore contain sensitive information and should be available only administrators.

---
 opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ReplicationServerTest.java |   90 ++++++++++++++++++++++++++++++++++++++++++--
 opends/resource/config/config.ldif                                                                        |    1 
 2 files changed, 86 insertions(+), 5 deletions(-)

diff --git a/opends/resource/config/config.ldif b/opends/resource/config/config.ldif
index 6c4ab34..ffb4bd3 100644
--- a/opends/resource/config/config.ldif
+++ b/opends/resource/config/config.ldif
@@ -74,6 +74,7 @@
 ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
 ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
 ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
+ds-cfg-global-aci: (target="ldap:///dc=replicationchanges")(targetattr="*")(version 3.0; acl "Replication backend access"; deny (all) userdn="ldap:///anyone";)
 cn: Access Control Handler
 ds-cfg-java-class: org.opends.server.authorization.dseecompat.AciHandler
 ds-cfg-enabled: true
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ReplicationServerTest.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ReplicationServerTest.java
index 6499c1e..c57732a 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ReplicationServerTest.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ReplicationServerTest.java
@@ -87,6 +87,8 @@
 import org.opends.messages.Message;
 import org.opends.messages.Severity;
 import org.opends.server.loggers.ErrorLogger;
+import org.opends.server.tools.LDAPModify;
+import org.opends.server.tools.LDAPSearch;
 
 /**
  * Tests for the replicationServer code.
@@ -1160,16 +1162,17 @@
 
        // - Add
        String luentry = new String(
-             "dn: uid=new person,ou=People,"+suffix+"\n"
+             "dn: cn=Fiona Jensen,ou=People,"+suffix+"\n"
            + "objectClass: top\n"
            + "objectclass: person\n"
            + "objectclass: organizationalPerson\n"
            + "objectclass: inetOrgPerson\n"
            + "cn: Fiona Jensen\n"
            + "sn: Jensen\n"
-           + "uid: new person\n"
+           + "givenName: fjensen\n"
            + "telephonenumber: +1 408 555 1212\n"
-           + "entryUUID: " + user1entryUUID +"\n");
+           + "entryUUID: " + user1entryUUID +"\n"
+           + "userpassword: fjen$$en"+"\n");
        Entry uentry = TestCaseUtils.entryFromLdifString(luentry);
        cn = new ChangeNumber(time, ts++, serverId);
        AddMsg addMsg2 = new AddMsg(
@@ -1299,14 +1302,13 @@
          LDAPFilter.decode("(changetype=*)"));
      assertEquals(op.getResultCode(), ResultCode.NO_SUCH_OBJECT);
 
+     testReplicationBackendACIs();
 
      // General search
      op = connection.processSearch(
          new ASN1OctetString("dc=replicationChanges"),
          SearchScope.WHOLE_SUBTREE,
          LDAPFilter.decode("(changetype=*)"));
-     assertEquals(op.getResultCode(), ResultCode.SUCCESS);
-     assertEquals(op.getSearchEntries().size(), 5);
 
      debugInfo("Search result");
      LinkedList<SearchResultEntry> entries = op.getSearchEntries();
@@ -1320,6 +1322,9 @@
      }
      debugInfo("\n" + stream.toString());
 
+     assertEquals(op.getResultCode(), ResultCode.SUCCESS);
+     assertEquals(op.getSearchEntries().size(), 5);
+
      debugInfo("Query / filter based on changetype");
      op = connection.processSearch(
          new ASN1OctetString("dc=replicationChanges"),
@@ -1400,9 +1405,84 @@
      assertEquals(op.getResultCode(), ResultCode.SUCCESS);
      assertEquals(op.getSearchEntries().size(), 5);
 
+     
      if (server1 != null)
        server1.stop();
 
      debugInfo("Successfully ending searchBackend");
    }
+
+   private static final ByteArrayOutputStream oStream = 
+     new ByteArrayOutputStream();
+   private static final ByteArrayOutputStream eStream = 
+     new ByteArrayOutputStream();
+
+   private void testReplicationBackendACIs()
+   {
+     // test search as anonymous
+     String[] args =
+     {
+       "-h", "127.0.0.1",
+       "-p", String.valueOf(TestCaseUtils.getServerLdapPort()),
+       "-b", "dc=replicationChanges",
+       "-s", "sub",
+       "(objectClass=*)"
+     };
+
+     oStream.reset();
+     eStream.reset();
+     int retVal =
+       LDAPSearch.mainSearch(args, false, oStream, eStream);
+     String entries = oStream.toString();
+
+     debugInfo("Entries:" + entries);
+     assertEquals(0, retVal,  "Returned error: " + eStream);
+     assertEquals(entries, "",  "Returned entries: " + entries);
+       
+     // test search as directory manager returns content
+     String[] args3 =
+     {
+       "-h", "127.0.0.1",
+       "-p", String.valueOf(TestCaseUtils.getServerLdapPort()),
+       "-D", "cn=Directory Manager",
+       "-w", "password",
+       "-b", "dc=replicationChanges",
+       "-s", "sub",
+       "(objectClass=*)"
+     };
+
+     oStream.reset();
+     eStream.reset();
+     retVal =
+       LDAPSearch.mainSearch(args3, false, oStream, eStream);
+     entries = oStream.toString();
+
+     debugInfo("Entries:" + entries);
+     assertEquals(0, retVal,  "Returned error: " + eStream);
+     assertTrue(!entries.equalsIgnoreCase(""), "Returned entries: " + entries);
+     
+     // test write fails : unwilling to perform
+     try
+     {
+       String ldif = new String(
+           "dn: dc=foo, dc=replicationchanges\n"
+           + "objectclass: top\n"
+           + "objectClass: domain\n"
+           + "dc:foo\n");
+       String path = TestCaseUtils.createTempFile(ldif);
+       String[] args4 =
+       {
+           "-h", "127.0.0.1",
+           "-p", String.valueOf(TestCaseUtils.getServerLdapPort()),
+           "-D", "cn=Directory Manager",
+           "-w", "password",
+           "-a",
+           "-f", path
+       };
+
+       retVal = 
+         LDAPModify.mainModify(args4, false, oStream, eStream);
+       assertEquals(retVal, 53, "Returned error: " + eStream);
+     } catch(Exception e) {}
+   }
 }

--
Gitblit v1.10.0