5065N/A<?
xml version="1.0" encoding="UTF-8" standalone="no"?>
5065N/A ! The contents of this file are subject to the terms of the 5065N/A ! Common Development and Distribution License, Version 1.0 only 5065N/A ! (the "License"). You may not use this file except in compliance 5065N/A ! See the License for the specific language governing permissions 5065N/A ! and limitations under the License. 5065N/A ! When distributing Covered Code, include this CDDL HEADER in each 6982N/A ! If applicable, add the following below this CDDL HEADER, with the 6982N/A ! fields enclosed by brackets "[]" replaced with your own identifying 5065N/A ! Portions Copyright [yyyy] [name of copyright owner] 5065N/A ! Copyright 2010 Sun Microsystems, Inc. 6049N/A ! Portions Copyright 2013 ForgeRock AS 5065N/A <
defaultcall function="clus_saslexternal_fingerprint"/>
5065N/A <
function name="clus_saslexternal_fingerprint" scope="local">
5065N/A <
block name="'clus_saslexternal_fingerprint'">
5065N/A <!--- Test Suite information 5065N/A #@TestSuiteName SASL external fingerprint mapper 5065N/A #@TestSuitePurpose Test the results of ldap commands in the case 5065N/A #@TestSuiteGroup ldapdmodify check behavior tests 5065N/A CurrentTestPath['group'] = 'clu_secure'
5065N/A CurrentTestPath['suite'] = STAXCurrentBlock
5065N/A <
call function="'testSuite_Preamble'"/>
5065N/A <!--- Test Case information 5065N/A #@TestMarker SASL external fingerprint blind trust 5065N/A #@TestName Fingerprint to user attribute : 5065N/A server trust all client certificates 5065N/A #@TestPurpose Test fingerprint certificate mapper 5065N/A #@TestStep Create a client-350-cert with dname 5065N/A "uid=user.350,ou=People,dc=com" 5065N/A #@TestStep Configure fingerprint certificate mapper 5065N/A #@TestStep Make a ldapsearch using client-350-cert : 5065N/A #@TestStep Add client-350-cert fingerprint to 5065N/A #@TestStep Make a ldapsearch using client-350-cert : 5065N/A #@TestStep Allow user.350 to delete user.42* 5065N/A #@TestStep Make a ldapdelete using client-350-cert : 5065N/A #@TestStep Make a ldapseach using client-350-cert : 5065N/A return "total number of matching entries: 0" 5065N/A #@TestResult Success if ldapseach after delete return 5065N/A "Total number of matching entries: 0" 6049N/A <
testcase name="getTestCaseName('Fingerprint to user attribute : server trust all client certificates')">
5065N/A <
call function="'testCase_Preamble'"/>
5065N/A <!-- Create user.350 Certificate --> 5065N/A 'SASL External : Client certicate :Step 1. Generating user.350 \
5065N/A <
call function="'genCertificate'">
5065N/A 'certAlias' : 'client-350-cert' ,
5065N/A 'dname' : "uid=user.350,ou=People,dc=com",
5065N/A 'storepass' : 'clientkeystorepass',
5065N/A 'keypass' : 'clientkeystorepass',
5065N/A 'SASL External: Client certicate :Step 2. Self-Signing user.350 \
5065N/A <
call function="'SelfSignCertificate'">
5065N/A 'certAlias' : 'client-350-cert' ,
5065N/A 'storepass' : 'clientkeystorepass',
5065N/A 'keypass' : 'clientkeystorepass',
5065N/A 'SASL External: export : export user.350 certificate'
5065N/A <
call function="'ExportCertificate'">
5065N/A 'certAlias' : 'client-350-cert' ,
5065N/A 'storepass' : 'clientkeystorepass',
5065N/A <
call function="'addCertificate'">
5065N/A 'userdn' : 'uid=user.350,ou=People,dc=com',
5065N/A <!--- Enable Subject DN to user attribute with blind trust--> 5065N/A 'SASL External: configure : Enable subject DN to user attribute \
5065N/A <
call function="'configureSASL'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
5065N/A 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
5065N/A 'keystorePin' : 'keystorepass',
5065N/A 'handlerName' : 'EXTERNAL',
5065N/A 'certMapper' : 'Fingerprint Mapper',
5065N/A 'optionSaSL' : '--set certificate-validation-policy:always',
5065N/A 'certAlias' : 'server-cert2'
5065N/A 'SASL External: Test fingerpint mapper : try to connect with \
5065N/A <
call function="'ldapSearchWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword': 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-120-cert',
5065N/A 'dsFilter' : 'uid=user.585' ,
5065N/A 'dsAttributes' : 'givenName',
5065N/A returnString = STAXResult[0][1]
5065N/A <
call function="'checktestString'">
5065N/A 'returnString' : returnString ,
5065N/A 'expectedString' : 'Invalid Credentials'
5065N/A <!-- get the fingerprint for user.350 --> 5065N/A <
call function="'getFingerprint'">
5065N/A 'certAlias' : 'client-350-cert',
5065N/A 'storepass' : 'clientkeystorepass',
5065N/A certificateResult = STAXResult[0][1]
5065N/A string_len=len(certificateResult)
5065N/A ("Signature algorithm name:")
5065N/A MD5_fingerprint_user350=certificateResult\
5065N/A [index_MD5+5:index_SHA1].strip()
5065N/A SHA1_fingerprint_user350=certificateResult\
5065N/A [index_SHA1+5:string_len].strip()
5065N/A SHA1_fingerprint_user350=certificateResult\
5065N/A [index_SHA1+5:index_Signature].strip()
5065N/A 'SASL External: configure : add ds-certificate-fingerprint \
5065N/A attribute in user.350 entry'
5065N/A <
call function="'modifyAnAttribute'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_PORT ,
5065N/A 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
5065N/A 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD ,
5065N/A 'DNToModify' : 'uid=user.350,ou=people,dc=com',
5065N/A 'attributeName' : 'ds-certificate-fingerprint',
5065N/A 'newAttributeValue': MD5_fingerprint_user350,
5065N/A <!---Test Subject DN to user attribute ldapdelete behaviors --> 5065N/A 'SASL External: Test fingerpint mapper : try to connect with \
5065N/A <
call function="'ldapSearchWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword' : 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-350-cert',
5065N/A 'dsFilter' : 'uid=user.420' ,
5065N/A 'dsAttributes' : 'givenName',
5065N/A returnString = STAXResult[0][1]
5065N/A <
call function="'checktestString'">
5065N/A 'returnString' : returnString ,
5065N/A 'expectedString' : 'Anitra'
5065N/A 'SASL External: aci : allow permission delete for user.350'
5065N/A <
call function="'ldapModifyWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
5065N/A 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_PORT,
5065N/A 'SASL External: ldapdelete : delete user.420'
5065N/A <
call function="'ldapDeleteWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword' : 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-350-cert',
5065N/A 'dsDn' : ['uid=user.420,ou=people,dc=com'],
5065N/A <
call function="'ldapSearchWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword' : 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-350-cert',
5065N/A 'dsCountEntries' : 'True' ,
5065N/A 'dsFilter' : 'uid=user.420' ,
5065N/A returnString = STAXResult[0][1]
5065N/A <
call function="'checktestString'">
5065N/A 'returnString' : returnString ,
5065N/A 'expectedString' : 'Total number of matching entries: 0'
5065N/A <
call function="'testCase_Postamble'"/>
5065N/A <!--- Test Case information 5065N/A #@TestMarker SASL external fingerprint TrustStore 5065N/A #@TestName Fingerprint to user attribute : 5065N/A #@TestPurpose Test fingerprint certificate mapper 5065N/A #@TestStep Configure fingerprint certificate mapper 5065N/A #@TestStep Make a ldapdelete using client-350-cert : 5065N/A #@TestStep Add client-350-cert certificate 5065N/A #@TestStep Make a ldapsearch using client-350-cert : 5065N/A return "Total number of matching entries: 1" 5065N/A #@TestStep Make a ldapdelete using client-350-cert : 5065N/A #@TestStep Make a ldapseach using client-350-cert : 5065N/A return "total number of matching entries: 0" 5065N/A #@TestResult Success if ldapseach after delete return 5065N/A "Total number of matching entries: 0" 5065N/A <
testcase name="getTestCaseName('Fingerprint mapper: with trust file manager')">
5065N/A <
call function="'testCase_Preamble'"/>
5065N/A <!--- Test SASL External Subject DN to user attribute with truststore --> 5065N/A 'SASL External: configure : Enable subject SN to user attribute \
5065N/A <
call function="'configureSASL'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
5065N/A 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
5065N/A 'optionSaSL' : '--set certificate-validation-policy:always',
5065N/A 'keystorePin' : 'keystorepass',
5065N/A 'truststorePin' : 'truststorepass',
5065N/A 'handlerName' : 'EXTERNAL',
5065N/A 'certMapper' : 'Fingerprint mapper',
5065N/A 'certAlias' : 'server-cert2'
5065N/A 'SASL External: ldapdelete : delete allow but certificate not in \
5065N/A <
call function="'ldapDeleteWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword' : 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-350-cert',
5065N/A 'dsDn' : ['uid=user.421,ou=people,dc=com'],
5065N/A <!--- Add the user.350 certificate to the server truststore --> 5065N/A 'SASL External: import : import user.350 certificate to server \
5065N/A <
call function="'ImportCertificate'">
5065N/A 'certAlias' : 'client-350-cert',
5065N/A 'storepass' : 'truststorepass',
5065N/A 'SASL External: restart LDAPS connection handler to re-read trustore'
5065N/A <
call function="'dsconfig'">
5065N/A { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
5065N/A 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
5065N/A 'subcommand' : 'set-connection-handler-prop',
5065N/A 'objectType' : 'handler-name' ,
5065N/A 'objectName' : 'LDAPS Connection Handler',
5065N/A 'optionsString' : '--set enabled:false' ,
5065N/A <
call function="'dsconfig'">
5065N/A { 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstanceDn' : DIRECTORY_INSTANCE_DN ,
5065N/A 'dsInstancePswd' : DIRECTORY_INSTANCE_PSWD,
5065N/A 'subcommand' : 'set-connection-handler-prop',
5065N/A 'objectType' : 'handler-name' ,
5065N/A 'objectName' : 'LDAPS Connection Handler',
5065N/A 'optionsString' : '--set enabled:true' ,
5065N/A <
call function="'ldapSearchWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword' : 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-350-cert',
5065N/A 'dsCountEntries' : 'True' ,
5065N/A 'dsFilter' : 'uid=user.421' ,
5065N/A returnString = STAXResult[0][1]
5065N/A <
call function="'checktestString'">
5065N/A 'returnString' : returnString ,
5065N/A 'expectedString' : 'Total number of matching entries: 1'
5065N/A 'SASL External: ldapdelete : delete user.421'
5065N/A <
call function="'ldapDeleteWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword' : 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-350-cert',
5065N/A 'dsDn' : ['uid=user.421,ou=people,dc=com'],
5065N/A <
call function="'ldapSearchWithScript'">
5065N/A 'dsInstanceHost' : DIRECTORY_INSTANCE_HOST ,
5065N/A 'dsInstancePort' : DIRECTORY_INSTANCE_SSL_PORT ,
5065N/A 'dsKeyStorePassword' : 'clientkeystorepass',
5065N/A 'dsCertNickname' : 'client-350-cert',
5065N/A 'dsCountEntries' : 'True' ,
5065N/A 'dsFilter' : 'uid=user.421' ,
5065N/A returnString = STAXResult[0][1]
5065N/A <
call function="'checktestString'">
5065N/A 'returnString' : returnString ,
5065N/A 'expectedString' : 'Total number of matching entries: 0'
5065N/A <
call function="'testCase_Postamble'"/>
5065N/A <
call function="'testSuite_Postamble'"/>