Attachment 848256 Details for Bug 877438 – sudo_notbefore_notafter_test

sudo_notbefore_notafter_test

sudo_notbefore_notafter_test (text/plain), 5.25 KB, created by Nikolai Kondrashov on 2014-01-10 15:32:27 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Nikolai Kondrashov

Created: 2014-01-10 15:32:27 UTC

Size: 5.25 KB

patch

obsolete

>#!/bin/bash
>
>set -o errexit -o nounset -o pipefail
>
>declare -r SMART_INTERVAL=1
>declare -r FULL_INTERVAL=$((SMART_INTERVAL * 10))
>declare -r BASE_DN="dc=example,dc=com"
>declare -r SUDO_BASE_DN="ou=Sudoers,$BASE_DN"
>declare -r -a LDAP_OPTS=(-x -h server -D "cn=Manager,$BASE_DN" -w Secret123)
>
>declare REFRESH_WAIT=0
>
>function sudo_check_access()
>{
>    declare -r name="$1"
>    declare -r expected="$2"
>    declare result
>    declare verdict
>    su user1 -c 'sudo -u user2 true' 2>/dev/null &&
>        result="ALLOWED" || result="DENIED"
>    [ "$result" == "$expected" ] &&
>        verdict=$'\x1b[32mPASSED\x1b[0m' ||
>        verdict=$'\x1b[31mFAILED\x1b[0m'
>    printf "%-32s %-7s %6s\n" "$name" "$result" "$verdict"
>}
>
>function rule_mod()
>{
>    declare -r name="$1"
>    {
>        cat <<<"\
>            dn: cn=$name,$SUDO_BASE_DN
>            changetype: modify"
>        cat
>    } | sed -e 's/^\s\+//' | ldapmodify "${LDAP_OPTS[@]}" >/dev/null
>}
>
>function rule_dump()
>{
>    declare -r name="$1"
>    ldapsearch "${LDAP_OPTS[@]}" -LLL -b "cn=$name,$SUDO_BASE_DN"
>}
>
>function service_quiet()
>{
>    service "$@" 2>&1 >/dev/null | {
>        grep -v 'Redirecting to /bin/systemctl' || true
>    } >&2
>}
>
>function ldap_setup()
>{
>    sed -e 's/^\s\+//' <<<"
>        dn: uid=user1,ou=Users,$BASE_DN
>        objectClass: top
>        objectClass: inetOrgPerson
>        objectClass: posixAccount
>        cn: 1
>        sn: User
>        uidNumber: 10001
>        gidNumber: 20001
>        userPassword:: cGFzc3dvcmQx
>        homeDirectory: /home/user1
>        loginShell: /bin/bash
>        uid: user1
>
>        dn: uid=user2,ou=Users,$BASE_DN
>        objectClass: top
>        objectClass: inetOrgPerson
>        objectClass: posixAccount
>        cn: 2
>        sn: User
>        uidNumber: 10002
>        gidNumber: 20002
>        userPassword:: cGFzc3dvcmQy
>        homeDirectory: /home/user2
>        loginShell: /bin/bash
>        uid: user2
>
>        dn: $SUDO_BASE_DN
>        objectClass: top
>        objectClass: organizationalUnit
>        ou: Sudoers
>
>        dn: cn=defaults,$SUDO_BASE_DN
>        objectClass: top
>        objectClass: sudoRole
>        sudoOption: !authenticate
>        cn: defaults
>
>        dn: cn=test,$SUDO_BASE_DN
>        objectClass: top
>        objectClass: sudoRole
>        sudoCommand: ALL
>        cn: test
>        sudoUser: ALL
>        sudoRunAsUser: ALL
>        sudoHost: ALL
>    " | ldapmodify "${LDAP_OPTS[@]}" -a >/dev/null
>}
>
>function ldap_teardown()
>{
>    ldapdelete "${LDAP_OPTS[@]}" -r \
>               "uid=user1,ou=Users,$BASE_DN" \
>               "uid=user2,ou=Users,$BASE_DN" \
>               "$SUDO_BASE_DN"
>}
>
>function sssd_setup()
>{
>    ldap_setup
>    REFRESH_WAIT=$((SMART_INTERVAL + 1))
>    service_quiet sssd stop
>    cat >>/etc/sssd/sssd.conf <<EOF
>entry_cache_nowait_percentage       = 0
>entry_cache_timeout                 = 0
>ldap_sudo_smart_refresh_interval    = $SMART_INTERVAL
>ldap_sudo_full_refresh_interval     = $FULL_INTERVAL
>EOF
>    chmod 0600 /etc/sssd/sssd.conf
>    rm -f /var/lib/sss/db/*.ldb
>    service_quiet sssd start
>}
>
>function sssd_teardown()
>{
>    service_quiet sssd stop
>    cat /etc/sssd/sssd.conf |
>        grep -v 'ldap_sudo_$smart\|full$_refresh_interval' |
>        grep -v 'entry_cache_$nowait_percentage\|timeout$' \
>            > /etc/sssd/sssd.conf.new
>    mv /etc/sssd/sssd.conf{.new,}
>    chmod 0600 /etc/sssd/sssd.conf
>    rm -f /var/lib/sss/db/*.ldb
>    REFRESH_WAIT=0
>    ldap_teardown
>    service_quiet sssd start
>}
>
># Output a date in LDAP yyyymmddHHMMSSZ format.
># Args: [date_option...]
>function ldap_date()
>{
>    date +'%Y%m%d%H%M%S%z' "$@"
>}
>
>function test_sudo_notbefore_notafter()
>{
>    rule_mod test <<<"\
>        replace:        sudoNotBefore
>        sudoNotBefore:  `ldap_date --date=\"+10 seconds\"`"
>    sleep "$REFRESH_WAIT"
>    sudo_check_access notbefore_before DENIED
>    sleep $((11-REFRESH_WAIT))
>    sudo_check_access notbefore_after ALLOWED
>
>    rule_mod test <<<"\
>        delete:         sudoNotBefore
>        -
>        replace:        sudoNotAfter
>        sudoNotAfter:   `ldap_date --date=\"+10 seconds\"`"
>    sleep "$REFRESH_WAIT"
>    sudo_check_access notafter_before ALLOWED
>    sleep $((11-REFRESH_WAIT))
>    sudo_check_access notafter_after DENIED
>
>    rule_mod test <<<"\
>        replace:        sudoNotBefore
>        sudoNotBefore:  `ldap_date --date=\"+10 seconds\"`
>        -
>        replace:        sudoNotAfter
>        sudoNotAfter:   `ldap_date --date=\"+20 seconds\"`"
>    sleep "$REFRESH_WAIT"
>    sudo_check_access notbefore_notafter_before DENIED
>    sleep $((11-REFRESH_WAIT))
>    sudo_check_access notbefore_notafter_within ALLOWED
>    sleep 10
>    sudo_check_access notbefore_notafter_after DENIED
>
>    rule_mod test <<<"\
>        replace:        sudoNotAfter
>        sudoNotAfter:   `ldap_date --date=\"+10 seconds\"`
>        -
>        replace:        sudoNotBefore
>        sudoNotBefore:  `ldap_date --date=\"+20 seconds\"`"
>    sudo_check_access notafter_notbefore_before DENIED
>    sleep $((11-REFRESH_WAIT))
>    sudo_check_access notafter_notbefore_within DENIED
>    sleep 10
>    sudo_check_access notafter_notbefore_after DENIED
>}
>
>if [ $# != 1 ]; then
>    echo "Invalid number of arguments" >&2
>    echo "Usage: `basename $0` sssd|ldap" >&2
>    exit 1
>fi
>declare -r backend="$1"
>trap ${backend}_teardown EXIT
>${backend}_setup
>test_sudo_notbefore_notafter

Actions: View

Attachments on bug 877438: 646348 | 646349 | 848256 | 848257 | 848258