cyrus-sasl/tests/sanity-ldapdb-plugin/runtest.sh

#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#   runtest.sh of /CoreOS/cyrus-sasl/Sanity/sanity-ldapdb-plugin
#   Description: The ldapdb auxprop plugin provides access to credentials stored in an LDAP server.
#   Author: David Spurek <dspurek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
#
#   This copyrighted material is made available to anyone wishing
#   to use, modify, copy, or redistribute it subject to the terms
#   and conditions of the GNU General Public License version 2.
#
#   This program is distributed in the hope that it will be
#   useful, but WITHOUT ANY WARRANTY; without even the implied
#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
#   PURPOSE. See the GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public
#   License along with this program; if not, write to the Free
#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
#   Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1

PACKAGE="cyrus-sasl"

PACKAGES=( "cyrus-sasl"       \
           "cyrus-sasl-devel" \
           "cyrus-sasl-ldap"  \
           "cyrus-sasl-plain" \
           "expect"           \
           "pam"              \
           "openldap"         \
           "openldap-clients" \
           "openldap-servers" \
           "cyrus-sasl-md5"   )

# else branch is also relevant for Fedora
if rlIsRHEL '<6'; then
    SERVICE_LDAP=ldap
else
    SERVICE_LDAP=slapd
fi

ldapdb_id="sasluser"
ldapdb_pw="x"

SASL_PASSWORD="x"
SASL_USER="test"

if [ "`uname -i`" = "i386" ]; then
    LIBDIR=/usr/lib
else
    LIBDIR=/usr/lib64
fi
rlIsRHEL 5 && [ "`uname -i`" = "ia64" ] &&  LIBDIR=/usr/lib

function slapd_conf {
cat >/etc/openldap/slapd.conf<<'EOF'
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

database        bdb
suffix          "dc=my-domain,dc=com"
rootdn          "uid=admin,dc=my-domain,dc=com"
rootpw          x

directory       /var/lib/ldap

password-hash   {CLEARTEXT}

authz-policy to
authz-regexp
        uid=(.*),cn=.*,cn=auth
        "ldap:///dc=my-domain,dc=com??sub?(uid=$1)"

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

access to * by * write
access to * by * read
access to * by * auth

EOF
return $?
}

function data_ldif {
cat >data.ldif<<EOF
dn: dc=my-domain,dc=com
objectclass: top
objectclass: domain
dc: my-domain

dn: ou=Admins,dc=my-domain,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Admins

dn: uid=$ldapdb_id,ou=People,dc=my-domain,dc=com
objectClass: person
objectClass: inetOrgPerson
userPassword: $ldapdb_pw
uid: $ldapdb_id
cn: $ldapdb_id
sn: $ldapdb_id
authzTo: ldap:///ou=People,dc=my-domain,dc=com??sub?(&(objectclass=inetOrgPerson)(uid=*))

dn: ou=People,dc=my-domain,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=$SASL_USER,ou=People,dc=my-domain,dc=com
objectClass: person
objectClass: inetOrgPerson
userPassword: x
uid: $SASL_USER
cn: $SASL_USER
sn: $SASL_USER
EOF
return $?
}

function sasl_client {
expect <<EOF
set timeout 30
spawn sasl2-sample-client -p 8000 -s rcmd -m PLAIN localhost
expect {
    timeout {exit 1}
    eof {exit 2}
    -nocase "please enter an authentication id:" { puts $1 ; send "$1\r"}
}
expect {
    timeout {exit 3}
    eof {exit 4}
    -nocase "please enter an authorization id:" { puts $1 ; send "$1\r"}
}
expect {
    timeout {exit 5}
    eof {exit 6}
    -nocase "Password:" { puts $2 ; send "$2\r"}
}
expect {
    timeout {exit 8}
    -nocase "successful authentication" { expect eof  ; exit 0}
    -nocase "authentication failed" {exit 9}
}
expect eof
exit 0
EOF
}

# ldapdb configuration for services, in this test for sasl2-sample-server
# configuration may be for smtpd.conf,imapd.conf instead of sample.conf
function smtpd_ldapdb {
cat >$LIBDIR/sasl2/sample.conf<<EOF
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
ldapdb_uri: ldap://localhost
ldapdb_id: $ldapdb_id
ldapdb_pw: $ldapdb_pw
ldapdb_mech: DIGEST-MD5
EOF
return $?
}


rlJournalStart
    rlPhaseStartSetup
        for P in ${PACKAGES[@]}; do rlCheckRpm $P || rlDie "Package $P is missing"; done
        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
        rlRun "pushd $TmpDir"

        rlFileBackup --clean "$LIBDIR/sasl2/sample.conf"
        rlFileBackup --clean "/etc/sasldb2"

        rlRun "smtpd_ldapdb" 0

        rlServiceStop $SERVICE_LDAP

        # Back-up.
        rlFileBackup --clean /var/run/openldap
        rlFileBackup --clean /var/lib/ldap && rm -rf /var/lib/ldap/*
        rlFileBackup --clean /etc/openldap/

        rlRun "slapd_conf" 0
        rlRun "cat /etc/openldap/slapd.conf" 0
        if rlIsRHEL '>=6' || rlIsFedora '>=14'; then
            rm -rf /etc/openldap/slapd.d/*
            slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
        fi

        rlRun "data_ldif" 0
        rlRun "slapadd -l data.ldif" 0

        chown -R ldap:ldap /var/lib/ldap/* && chmod -R a+rx /etc/openldap/

        rlRun "restorecon -vvRF /etc/openldap/"
        rlRun "service $SERVICE_LDAP start && sleep 10" 0

    rlPhaseEnd

    rlPhaseStartTest
        rlRun "ldapsearch -LLL -H ldap://localhost -s base  -b '' -x supportedSASLMechanisms" 0
        rlRun "ldapsearch -H ldap://localhost -x -b 'dc=my-domain,dc=com' '(objectclass=*)'" 0 "Check ldap entries without SASL"

        # this two ldapwhoami commands may be used for testing purposes
        #        rlRun "ldapwhoami -U $ldapdb_id -Y digest-md5" 0
        #        rlRun "ldapwhoami -U $ldapdb_id -X u:test@localhost -Y digest-md5" 0

        # sasl sample server uses ldap sasluser as sasl bind id
        # then try search user passed to sample client in ldap database
        rlRun "sasl2-sample-server -p 8000 -s rcmd -m PLAIN &>sample_server.log &" 0
        SASL_PID=`pgrep -f "sasl2-sample-server -p 8000 -s rcmd -m PLAIN"`
        rlRun "sasl_client $SASL_USER ${SASL_PASSWORD}" 0
        rlRun "sasl_client baduser ${SASL_PASSWORD}" 9
        rlRun "kill $SASL_PID" 0 ; sleep 5
        rlRun "cat sample_server.log" 0
    rlPhaseEnd

    rlPhaseStartCleanup
        rlRun "service $SERVICE_LDAP stop && sleep 10" 0
        rlFileRestore
        rlServiceRestore $SERVICE_LDAP
        rlRun "popd"
        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
    rlPhaseEnd
rlJournalPrintText
rlJournalEnd
Add CI tests using the standard test interface 2017-10-05 11:42:11 +00:00			`#!/bin/bash`
			`# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k`
			`# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
			`#`
			`# runtest.sh of /CoreOS/cyrus-sasl/Sanity/sanity-ldapdb-plugin`
			`# Description: The ldapdb auxprop plugin provides access to credentials stored in an LDAP server.`
			`# Author: David Spurek <dspurek@redhat.com>`
			`#`
			`# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
			`#`
			`# Copyright (c) 2012 Red Hat, Inc. All rights reserved.`
			`#`
			`# This copyrighted material is made available to anyone wishing`
			`# to use, modify, copy, or redistribute it subject to the terms`
			`# and conditions of the GNU General Public License version 2.`
			`#`
			`# This program is distributed in the hope that it will be`
			`# useful, but WITHOUT ANY WARRANTY; without even the implied`
			`# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR`
			`# PURPOSE. See the GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public`
			`# License along with this program; if not, write to the Free`
			`# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,`
			`# Boston, MA 02110-1301, USA.`
			`#`
			`# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

			`# Include Beaker environment`
			`. /usr/bin/rhts-environment.sh \|\| exit 1`
			`. /usr/share/beakerlib/beakerlib.sh \|\| exit 1`

			`PACKAGE="cyrus-sasl"`

			`PACKAGES=( "cyrus-sasl" \`
			`"cyrus-sasl-devel" \`
			`"cyrus-sasl-ldap" \`
			`"cyrus-sasl-plain" \`
			`"expect" \`
			`"pam" \`
			`"openldap" \`
			`"openldap-clients" \`
			`"openldap-servers" \`
			`"cyrus-sasl-md5" )`

			`# else branch is also relevant for Fedora`
			`if rlIsRHEL '<6'; then`
			`SERVICE_LDAP=ldap`
			`else`
			`SERVICE_LDAP=slapd`
			`fi`

			`ldapdb_id="sasluser"`
			`ldapdb_pw="x"`

			`SASL_PASSWORD="x"`
			`SASL_USER="test"`

			if [ "`uname -i`" = "i386" ]; then
			`LIBDIR=/usr/lib`
			`else`
			`LIBDIR=/usr/lib64`
			`fi`
			rlIsRHEL 5 && [ "`uname -i`" = "ia64" ] && LIBDIR=/usr/lib

			`function slapd_conf {`
			`cat >/etc/openldap/slapd.conf<<'EOF'`
			`include /etc/openldap/schema/core.schema`
			`include /etc/openldap/schema/cosine.schema`
			`include /etc/openldap/schema/inetorgperson.schema`
			`include /etc/openldap/schema/nis.schema`

			`allow bind_v2`

			`pidfile /var/run/openldap/slapd.pid`
			`argsfile /var/run/openldap/slapd.args`

			`database bdb`
			`suffix "dc=my-domain,dc=com"`
			`rootdn "uid=admin,dc=my-domain,dc=com"`
			`rootpw x`

			`directory /var/lib/ldap`

			`password-hash {CLEARTEXT}`

			`authz-policy to`
			`authz-regexp`
			`uid=(.),cn=.,cn=auth`
			`"ldap:///dc=my-domain,dc=com??sub?(uid=$1)"`

			`index objectClass eq,pres`
			`index ou,cn,mail,surname,givenname eq,pres,sub`
			`index uidNumber,gidNumber,loginShell eq,pres`
			`index uid,memberUid eq,pres,sub`
			`index nisMapName,nisMapEntry eq,pres,sub`

			`access to * by * write`
			`access to * by * read`
			`access to * by * auth`

			`EOF`
			`return $?`
			`}`

			`function data_ldif {`
			`cat >data.ldif<<EOF`
			`dn: dc=my-domain,dc=com`
			`objectclass: top`
			`objectclass: domain`
			`dc: my-domain`

			`dn: ou=Admins,dc=my-domain,dc=com`
			`objectclass: top`
			`objectclass: organizationalUnit`
			`ou: Admins`

			`dn: uid=$ldapdb_id,ou=People,dc=my-domain,dc=com`
			`objectClass: person`
			`objectClass: inetOrgPerson`
			`userPassword: $ldapdb_pw`
			`uid: $ldapdb_id`
			`cn: $ldapdb_id`
			`sn: $ldapdb_id`
			`authzTo: ldap:///ou=People,dc=my-domain,dc=com??sub?(&(objectclass=inetOrgPerson)(uid=*))`

			`dn: ou=People,dc=my-domain,dc=com`
			`objectclass: top`
			`objectclass: organizationalUnit`
			`ou: People`

			`dn: uid=$SASL_USER,ou=People,dc=my-domain,dc=com`
			`objectClass: person`
			`objectClass: inetOrgPerson`
			`userPassword: x`
			`uid: $SASL_USER`
			`cn: $SASL_USER`
			`sn: $SASL_USER`
			`EOF`
			`return $?`
			`}`

			`function sasl_client {`
			`expect <<EOF`
			`set timeout 30`
			`spawn sasl2-sample-client -p 8000 -s rcmd -m PLAIN localhost`
			`expect {`
			`timeout {exit 1}`
			`eof {exit 2}`
			`-nocase "please enter an authentication id:" { puts $1 ; send "$1\r"}`
			`}`
			`expect {`
			`timeout {exit 3}`
			`eof {exit 4}`
			`-nocase "please enter an authorization id:" { puts $1 ; send "$1\r"}`
			`}`
			`expect {`
			`timeout {exit 5}`
			`eof {exit 6}`
			`-nocase "Password:" { puts $2 ; send "$2\r"}`
			`}`
			`expect {`
			`timeout {exit 8}`
			`-nocase "successful authentication" { expect eof ; exit 0}`
			`-nocase "authentication failed" {exit 9}`
			`}`
			`expect eof`
			`exit 0`
			`EOF`
			`}`

			`# ldapdb configuration for services, in this test for sasl2-sample-server`
			`# configuration may be for smtpd.conf,imapd.conf instead of sample.conf`
			`function smtpd_ldapdb {`
			`cat >$LIBDIR/sasl2/sample.conf<<EOF`
			`pwcheck_method: auxprop`
			`auxprop_plugin: ldapdb`
			`mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5`
			`ldapdb_uri: ldap://localhost`
			`ldapdb_id: $ldapdb_id`
			`ldapdb_pw: $ldapdb_pw`
			`ldapdb_mech: DIGEST-MD5`
			`EOF`
			`return $?`
			`}`


			`rlJournalStart`
			`rlPhaseStartSetup`
			`for P in ${PACKAGES[@]}; do rlCheckRpm $P \|\| rlDie "Package $P is missing"; done`
			`rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"`
			`rlRun "pushd $TmpDir"`

			`rlFileBackup --clean "$LIBDIR/sasl2/sample.conf"`
			`rlFileBackup --clean "/etc/sasldb2"`

			`rlRun "smtpd_ldapdb" 0`

			`rlServiceStop $SERVICE_LDAP`

			`# Back-up.`
			`rlFileBackup --clean /var/run/openldap`
			`rlFileBackup --clean /var/lib/ldap && rm -rf /var/lib/ldap/*`
			`rlFileBackup --clean /etc/openldap/`

			`rlRun "slapd_conf" 0`
			`rlRun "cat /etc/openldap/slapd.conf" 0`
			`if rlIsRHEL '>=6' \|\| rlIsFedora '>=14'; then`
			`rm -rf /etc/openldap/slapd.d/*`
			`slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/`
			`fi`

			`rlRun "data_ldif" 0`
			`rlRun "slapadd -l data.ldif" 0`

			`chown -R ldap:ldap /var/lib/ldap/* && chmod -R a+rx /etc/openldap/`

			`rlRun "restorecon -vvRF /etc/openldap/"`
			`rlRun "service $SERVICE_LDAP start && sleep 10" 0`

			`rlPhaseEnd`

			`rlPhaseStartTest`
			`rlRun "ldapsearch -LLL -H ldap://localhost -s base -b '' -x supportedSASLMechanisms" 0`
			`rlRun "ldapsearch -H ldap://localhost -x -b 'dc=my-domain,dc=com' '(objectclass=*)'" 0 "Check ldap entries without SASL"`

			`# this two ldapwhoami commands may be used for testing purposes`
			`# rlRun "ldapwhoami -U $ldapdb_id -Y digest-md5" 0`
			`# rlRun "ldapwhoami -U $ldapdb_id -X u:test@localhost -Y digest-md5" 0`

			`# sasl sample server uses ldap sasluser as sasl bind id`
			`# then try search user passed to sample client in ldap database`
			`rlRun "sasl2-sample-server -p 8000 -s rcmd -m PLAIN &>sample_server.log &" 0`
			SASL_PID=`pgrep -f "sasl2-sample-server -p 8000 -s rcmd -m PLAIN"`
			`rlRun "sasl_client $SASL_USER ${SASL_PASSWORD}" 0`
			`rlRun "sasl_client baduser ${SASL_PASSWORD}" 9`
			`rlRun "kill $SASL_PID" 0 ; sleep 5`
			`rlRun "cat sample_server.log" 0`
			`rlPhaseEnd`

			`rlPhaseStartCleanup`
			`rlRun "service $SERVICE_LDAP stop && sleep 10" 0`
			`rlFileRestore`
			`rlServiceRestore $SERVICE_LDAP`
			`rlRun "popd"`
			`rlRun "rm -r $TmpDir" 0 "Removing tmp directory"`
			`rlPhaseEnd`
			`rlJournalPrintText`
			`rlJournalEnd`