<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!--
! CDDL HEADER START
!
! The contents of this file are subject to the terms of the
! Common Development and Distribution License, Version 1.0 only
! (the "License"). You may not use this file except in compliance
! with the License.
!
! You can obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! When distributing Covered Code, include this CDDL HEADER in each
! file and include the License file at
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
! add the following below this CDDL HEADER, with the fields enclosed
! by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CDDL HEADER END
!
! Copyright 2010 Sun Microsystems, Inc.
! Portions Copyright 2013 ForgeRock AS
! -->
<stax>
<defaultcall function="clus_saslexternal_fingerprint"/>
<function name="clus_saslexternal_fingerprint" scope="local">
<sequence>
<block name="'clus_saslexternal_fingerprint'">
<sequence>
<!--- Test Suite information
#@TestSuiteName SASL external fingerprint mapper
check behaviors
#@TestSuitePurpose Test the results of ldap commands in the case
of fingerprint mapper
#@TestSuiteGroup ldapdmodify check behavior tests
#@TestScript clus_saslexternal_fingerprint.xml
-->
<script>
if not CurrentTestPath.has_key('group'):
CurrentTestPath['group'] = 'clu_secure'
CurrentTestPath['suite'] = STAXCurrentBlock
</script>
<call function="'testSuite_Preamble'"/>
<!--- Test Case information
#@TestMarker SASL external fingerprint blind trust
check behaviors
#@TestName Fingerprint to user attribute :
server trust all client certificates
#@TestPurpose Test fingerprint certificate mapper
with blind trust
#@TestPreamble none
#@TestStep Create a client-350-cert with dname
"uid=user.350,ou=People,dc=com"
#@TestStep Configure fingerprint certificate mapper
with blind trust
#@TestStep Make a ldapsearch using client-350-cert :
should fail
#@TestStep Add client-350-cert fingerprint to
user.350 attribute
#@TestStep Make a ldapsearch using client-350-cert :
should success
return "Anatoly"
#@TestStep Allow user.350 to delete user.42*
#@TestStep Make a ldapdelete using client-350-cert :
should success
#@TestStep Make a ldapseach using client-350-cert :
should success
return "total number of matching entries: 0"
#@TestPostamble none
#@TestResult Success if ldapseach after delete return
"Total number of matching entries: 0"
-->
<testcase name="getTestCaseName('Fingerprint to user attribute : server trust all client certificates')">
<sequence>
<call function="'testCase_Preamble'"/>
<!-- Create user.350 Certificate -->
<message>
'SASL External : Client certicate :Step 1. Generating user.350 \
client certificate'
</message>
<call function="'genCertificate'">
{
'certAlias' : 'client-350-cert' ,
'dname' : "uid=user.350,ou=People,dc=com",
%(InstanceInstallDir),
'storepass' : 'clientkeystorepass',
'keypass' : 'clientkeystorepass',
'storetype' : 'JKS'
}
</call>
<message>
'SASL External: Client certicate :Step 2. Self-Signing user.350 \
client Certicate'
</message>
<call function="'SelfSignCertificate'">
{
'certAlias' : 'client-350-cert' ,
'storepass' : 'clientkeystorepass',
'keypass' : 'clientkeystorepass',
%(InstanceInstallDir),
'storetype' : 'JKS'
}
</call>
<message>
'SASL External: export : export user.350 certificate'
</message>
<call function="'ExportCertificate'">
{
'certAlias' : 'client-350-cert' ,
%(InstanceInstallDir),
'storepass' : 'clientkeystorepass',
%(InstanceInstallDir),
'storetype' : 'JKS',
'format' : 'rfc'
}
</call>
<call function="'addCertificate'">
{
'userdn' : 'uid=user.350,ou=People,dc=com',
%(InstanceInstallDir),
%(InstanceInstallDir)
}
</call>
<!--- Enable Subject DN to user attribute with blind trust-->
<message>
'SASL External: configure : Enable subject DN to user attribute \
with blind trust'
</message>
<call function="'configureSASL'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
'KeyMgr' : 'JKSPROVIDER',
'keystoreFile' : 'config/serverkeystore',
'keystorePin' : 'keystorepass',
'handlerName' : 'EXTERNAL',
'certMapper' : 'Fingerprint Mapper',
'optionSaSL' : '--set certificate-validation-policy:always',
'certAlias' : 'server-cert2'
}
</call>
<message>
'SASL External: Test fingerpint mapper : try to connect with \
user.120 certificate'
</message>
<call function="'ldapSearchWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword': 'clientkeystorepass',
'dsCertNickname' : 'client-120-cert',
'dsReportAuthzID' : ' ',
'dsBaseDN' : 'dc=com' ,
'dsFilter' : 'uid=user.585' ,
'dsAttributes' : 'givenName',
'expectedRC' : 49
}
</call>
<script>
returnString = STAXResult[0][1]
</script>
<call function="'checktestString'">
{
'returnString' : returnString ,
'expectedString' : 'Invalid Credentials'
}
</call>
<!-- get the fingerprint for user.350 -->
<call function="'getFingerprint'">
{
'certAlias' : 'client-350-cert',
'storepass' : 'clientkeystorepass',
%(InstanceInstallDir)
}
</call>
<script>
STAXCode = RC
certificateResult = STAXResult[0][1]
</script>
<script>
string_len=len(certificateResult)
index_MD5=certificateResult.find("MD5:")
index_SHA1=certificateResult.find("SHA1:")
index_Signature=certificateResult.find\
("Signature algorithm name:")
MD5_fingerprint_user350=certificateResult\
[index_MD5+5:index_SHA1].strip()
if index_Signature == -1:
SHA1_fingerprint_user350=certificateResult\
[index_SHA1+5:string_len].strip()
else:
SHA1_fingerprint_user350=certificateResult\
[index_SHA1+5:index_Signature].strip()
</script>
<message>
'SASL External: configure : add ds-certificate-fingerprint \
attribute in user.350 entry'
</message>
<call function="'modifyAnAttribute'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
'DNToModify' : 'uid=user.350,ou=people,dc=com',
'attributeName' : 'ds-certificate-fingerprint',
'newAttributeValue': MD5_fingerprint_user350,
'changetype' : 'add',
'expectedRC' : 0
}
</call>
<!---Test Subject DN to user attribute ldapdelete behaviors -->
<message>
'SASL External: Test fingerpint mapper : try to connect with \
user.350 certificate'
</message>
<call function="'ldapSearchWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword' : 'clientkeystorepass',
'dsCertNickname' : 'client-350-cert',
'dsReportAuthzID' : ' ',
'dsBaseDN' : 'dc=com' ,
'dsFilter' : 'uid=user.420' ,
'dsAttributes' : 'givenName',
'expectedRC' : 0
}
</call>
<script>
returnString = STAXResult[0][1]
</script>
<call function="'checktestString'">
{
'returnString' : returnString ,
'expectedString' : 'Anitra'
}
</call>
<message>
'SASL External: aci : allow permission delete for user.350'
</message>
<script>
aci_allowdelete = 'clu_secure/clus_sasl_allowdelete.ldif'
</script>
<call function="'ldapModifyWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
'dsFilename' : '%s/%s' % (remote.data,aci_allowdelete),
'expectedRC' : 0
}
</call>
<message>
'SASL External: ldapdelete : delete user.420'
</message>
<call function="'ldapDeleteWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword' : 'clientkeystorepass',
'dsCertNickname' : 'client-350-cert',
'dsDn' : ['uid=user.420,ou=people,dc=com'],
'expectedRC' : 0
}
</call>
<call function="'ldapSearchWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword' : 'clientkeystorepass',
'dsCertNickname' : 'client-350-cert',
'dsCountEntries' : 'True' ,
'dsReportAuthzID' : ' ',
'dsBaseDN' : 'dc=com' ,
'dsFilter' : 'uid=user.420' ,
'expectedRC' : 'noCheck'
}
</call>
<script>
returnString = STAXResult[0][1]
</script>
<call function="'checktestString'">
{
'returnString' : returnString ,
'expectedString' : 'Total number of matching entries: 0'
}
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<!--- Test Case information
#@TestMarker SASL external fingerprint TrustStore
check behaviors
#@TestName Fingerprint to user attribute :
server use TrustStore
#@TestPurpose Test fingerprint certificate mapper
withTrustStore
#@TestPreamble none
#@TestStep Configure fingerprint certificate mapper
with TrustStore
#@TestStep Make a ldapdelete using client-350-cert :
should fail
#@TestStep Add client-350-cert certificate
into server TrustStore
#@TestStep Make a ldapsearch using client-350-cert :
should success
return "Total number of matching entries: 1"
#@TestStep Make a ldapdelete using client-350-cert :
should success
#@TestStep Make a ldapseach using client-350-cert :
should success
return "total number of matching entries: 0"
#@TestPostamble none
#@TestResult Success if ldapseach after delete return
"Total number of matching entries: 0"
-->
<testcase name="getTestCaseName('Fingerprint mapper: with trust file manager')">
<sequence>
<call function="'testCase_Preamble'"/>
<!--- Test SASL External Subject DN to user attribute with truststore -->
<message>
'SASL External: configure : Enable subject SN to user attribute \
with TrustStore file'
</message>
<call function="'configureSASL'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
'KeyMgr' : 'JKSPROVIDER',
'optionSaSL' : '--set certificate-validation-policy:always',
'keystoreFile' : 'config/serverkeystore',
'keystorePin' : 'keystorepass',
'trustMgr' : 'JKS',
'truststoreFile' : 'config/servertruststore',
'truststorePin' : 'truststorepass',
'handlerName' : 'EXTERNAL',
'certMapper' : 'Fingerprint mapper',
'certAlias' : 'server-cert2'
}
</call>
<message>
'SASL External: ldapdelete : delete allow but certificate not in \
TrustStore'
</message>
<call function="'ldapDeleteWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword' : 'clientkeystorepass',
'dsCertNickname' : 'client-350-cert',
'dsDn' : ['uid=user.421,ou=people,dc=com'],
'expectedRC' : 81
}
</call>
<!--- Add the user.350 certificate to the server truststore -->
<message>
'SASL External: import : import user.350 certificate to server \
truststore'
</message>
<call function="'ImportCertificate'">
{
'certAlias' : 'client-350-cert',
%(InstanceInstallDir),
'storepass' : 'truststorepass',
'storetype' : 'JKS'
}
</call>
<message>
'SASL External: restart LDAPS connection handler to re-read trustore'
</message>
<call function="'dsconfig'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name' ,
'objectName' : 'LDAPS Connection Handler',
'optionsString' : '--set enabled:false' ,
'expectedRC' : 0
}
</call>
<call function="'dsconfig'">
{ 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
'subcommand' : 'set-connection-handler-prop',
'objectType' : 'handler-name' ,
'objectName' : 'LDAPS Connection Handler',
'optionsString' : '--set enabled:true' ,
'expectedRC' : 0
}
</call>
<call function="'ldapSearchWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword' : 'clientkeystorepass',
'dsCertNickname' : 'client-350-cert',
'dsCountEntries' : 'True' ,
'dsReportAuthzID' : ' ',
'dsBaseDN' : 'dc=com' ,
'dsFilter' : 'uid=user.421' ,
'expectedRC' : 'noCheck'
}
</call>
<script>
returnString = STAXResult[0][1]
</script>
<call function="'checktestString'">
{
'returnString' : returnString ,
'expectedString' : 'Total number of matching entries: 1'
}
</call>
<message>
'SASL External: ldapdelete : delete user.421'
</message>
<call function="'ldapDeleteWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword' : 'clientkeystorepass',
'dsCertNickname' : 'client-350-cert',
'dsDn' : ['uid=user.421,ou=people,dc=com'],
'expectedRC' : 0
}
</call>
<call function="'ldapSearchWithScript'">
{
'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
'dsUseSSL' : ' ' ,
'dsTrustAll' : ' ' ,
'dsUseSASLExternal': ' ',
%(InstanceInstallDir),
'dsKeyStorePassword' : 'clientkeystorepass',
'dsCertNickname' : 'client-350-cert',
'dsReportAuthzID' : ' ',
'dsCountEntries' : 'True' ,
'dsBaseDN' : 'dc=com' ,
'dsFilter' : 'uid=user.421' ,
'expectedRC' : 'noCheck'
}
</call>
<script>
returnString = STAXResult[0][1]
</script>
<call function="'checktestString'">
{
'returnString' : returnString ,
'expectedString' : 'Total number of matching entries: 0'
}
</call>
<call function="'testCase_Postamble'"/>
</sequence>
</testcase>
<call function="'testSuite_Postamble'"/>
</sequence>
</block>
</sequence>
</function>
</stax>