132 lines
4.9 KiB
Bash
Executable file
132 lines
4.9 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
set -e
|
|
|
|
TESTNR="03"
|
|
BASEDIR="$(pwd)/debian/tests"
|
|
COMMONDIR="${BASEDIR}/common"
|
|
DIR="${BASEDIR}/${TESTNR}"
|
|
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
|
|
ACCTA="test${TESTNR}a"
|
|
ACCTB="test${TESTNR}b"
|
|
PASSWD="test${TESTNR}23456"
|
|
HOMEDIRA="/home/${ACCTA}"
|
|
HOMEDIRB="/home/${ACCTB}"
|
|
LDIFDIR="${DIR}/ldif"
|
|
|
|
trap '
|
|
kill $(pidof slapd) 2>/dev/null || true
|
|
deluser --remove-home "${ACCTA}" 2>/dev/null || true
|
|
deluser --remove-home "${ACCTB}" 2>/dev/null || true
|
|
mv /etc/disabled.sudoers /etc/sudoers 2>/dev/null || true
|
|
' 0 INT QUIT ABRT PIPE TERM
|
|
|
|
if ! grep -q '^slapd: ALL' /etc/hosts.allow; then
|
|
echo "slapd: ALL" >> /etc/hosts.allow
|
|
fi
|
|
|
|
< ${LDIFDIR}/debconf debconf-set-selections
|
|
printf "clean up ldap database ... "
|
|
rm -rf /var/lib/ldap/*.mdb
|
|
printf "reconfigure slapd ... "
|
|
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
|
|
if ! grep -q '^slapd: ALL$' /etc/hosts.allow; then
|
|
echo "slapd: ALL" >> /etc/hosts.allow
|
|
fi
|
|
printf "start slapd ... "
|
|
slapd -h 'ldap://127.0.0.1:11389/ ldapi:///' -g openldap -u openldap -F /etc/ldap/slapd.d
|
|
echo "URI ldap://127.0.0.1:11389" > /etc/ldap/ldap.conf
|
|
# ldapsearch -x -LLL -s base -b "" namingContexts should work here
|
|
printf "add sudo schema to slapd ... "
|
|
< /usr/share/doc/sudo-ldap/schema.olcSudo ldapadd -Y EXTERNAL -H ldapi:/// 2>/dev/null
|
|
printf "add sudo group ... "
|
|
< ${LDIFDIR}/container.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw 2>/dev/null
|
|
if ! grep -q '^sudoers: ldap$' /etc/nsswitch.conf; then
|
|
sed -i '/^sudoers.*/d' /etc/nsswitch.conf
|
|
echo "sudoers: ldap" >> /etc/nsswitch.conf
|
|
fi
|
|
touch /etc/ldap/ldap.conf
|
|
if ! grep -q '^sudoers_base ou=SUDOers,dc=example,dc=com' /etc/ldap/ldap.conf; then
|
|
echo "sudoers_base ou=SUDOers,dc=example,dc=com" >> /etc/ldap/ldap.conf
|
|
fi
|
|
printf "reconfigure sudo-ldap (#1001851) ... "
|
|
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical sudo-ldap 2>/dev/null
|
|
printf "cvtsudoers into sudoers.ldif ... "
|
|
cvtsudoers -b ou=SUDOers,dc=example,dc=com -o ${LDIFDIR}/sudoers.ldif /etc/sudoers
|
|
printf "\n cat sudoers.ldif\n"
|
|
cat ${LDIFDIR}/sudoers.ldif
|
|
printf "pull sudoers.ldif into ldap ..."
|
|
< ${LDIFDIR}/sudoers.ldif ldapadd -x -D 'cn=admin,dc=example,dc=com' -w ldappw
|
|
# ldapsearch -x -LLL -b "ou=SUDOers,dc=example,dc=com" should work here
|
|
printf "move away sudoers ...\n"
|
|
mv /etc/sudoers /etc/disabled.sudoers
|
|
|
|
|
|
printf "========= test %s\.1: account group member, correct password\n" "${TESTNR}"
|
|
printf > /etc/hosts "127.0.1.1 %s\n" "$(hostname)"
|
|
deluser ${ACCTA} 2>/dev/null || true
|
|
adduser --disabled-password --home "${HOMEDIRA}" --gecos "" "${ACCTA}"
|
|
printf "%s:%s\n" "${ACCTA}" "${PASSWD}" | chpasswd
|
|
adduser "${ACCTA}" sudo
|
|
RET=0
|
|
printf "trying %s with correct password\n" "${ACCTA}"
|
|
su - "${ACCTA}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
|
|
printf "%s with correct password, return value %s\n" "${ACCTA}" "${RET}"
|
|
if [ "$(cat ${HOMEDIRA}/stdout)" != "0" ]; then
|
|
printf >&2 "id -u did not give 0\n"
|
|
printf >&2 "stdout:\n"
|
|
cat >&2 ${HOMEDIRA}/stdout
|
|
printf >&2 "stderr:\n"
|
|
cat >&2 ${HOMEDIRA}/stderr
|
|
printf >&2 "exit code %s\n" "${RET}"
|
|
printf >&2 "exit 1\n" "${RET}"
|
|
exit 1
|
|
fi
|
|
|
|
printf "========= test %s\.2: account group member, wrong password\n" "${TESTNR}"
|
|
rm -f "${HOMEDIRA}/std*"
|
|
RET=0
|
|
printf "trying %s with wrong password\n" "${ACCTA}"
|
|
su - "${ACCTA}" -c "${COMMONDIR}/asuser wrongpasswd" || RET=$?
|
|
printf "%s with wrong password, return value %s\n" "${ACCTA}" "${RET}"
|
|
head -n-0 ${HOMEDIRA}/stdout ${HOMEDIRA}/stderr
|
|
printf -- "\n-------\n"
|
|
for string in "[sudo] password for ${ACCTA}" "Sorry, try again" "sudo: no password was provided" "sudo: 1 incorrect password attempt"; do
|
|
if ! grep -F "${string}" ${HOMEDIRA}/stderr; then
|
|
printf "%s missing in stderr output\n" "${string}"
|
|
printf >&2 "stdout:\n"
|
|
cat >&2 ${HOMEDIRA}/stdout
|
|
printf >&2 "stderr:\n"
|
|
cat >&2 ${HOMEDIRA}/stderr
|
|
printf >&2 "\nexit code %s\n" "${RET}"
|
|
printf >&2 -- "------\n exit 1\n"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
printf "========= test %s\.3: account not group member, correct password\n" "${TESTNR}"
|
|
deluser ${ACCTB} 2>/dev/null || true
|
|
adduser --disabled-password --home "${HOMEDIRB}" --gecos "" "${ACCTB}"
|
|
printf "%s:%s\n" "${ACCTB}" "${PASSWD}" | chpasswd
|
|
RET=0
|
|
printf "trying %s (no sudo membership) with correct password\n" "${ACCTB}"
|
|
su - "${ACCTB}" -c "${COMMONDIR}/asuser ${PASSWD}" || RET=$?
|
|
printf "%s with correct password, return value %s\n" "${ACCTB}" "${RET}"
|
|
head -n-0 ${HOMEDIRB}/stdout ${HOMEDIRB}/stderr
|
|
printf -- "\n-------\n"
|
|
for string in "[sudo] password for ${ACCTB}" "${ACCTB} is not allowed to run sudo on"; do
|
|
if ! grep -F "${string}" ${HOMEDIRB}/stderr; then
|
|
printf "%s missing in stderr output\n" "${string}"
|
|
printf >&2 "stdout:\n"
|
|
cat >&2 ${HOMEDIRB}/stdout
|
|
printf >&2 "stderr:\n"
|
|
cat >&2 ${HOMEDIRB}/stderr
|
|
printf >&2 "\nexit code %s\n" "${RET}"
|
|
printf >&2 -- "------\n exit 1\n"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
printf "test series sucessful, exit 0\n"
|
|
exit 0
|
|
|