mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-04 00:17:06 +00:00
161 lines
4.6 KiB
Bash
161 lines
4.6 KiB
Bash
# -*- indent-tabs-mode: t; tab-width: 4; -*-
|
|
#####
|
|
##### This file is part of Mail-in-a-Box-LDAP which is released under the
|
|
##### terms of the GNU Affero General Public License as published by the
|
|
##### Free Software Foundation, either version 3 of the License, or (at
|
|
##### your option) any later version. See file LICENSE or go to
|
|
##### https://github.com/downtownallday/mailinabox-ldap for full license
|
|
##### details.
|
|
#####
|
|
|
|
|
|
exe_test() {
|
|
# run an executable and assert success or failure
|
|
# argument 1 must be:
|
|
# "ZERO_RC" to assert the return code was 0
|
|
# "NONZERO_RC" to assert the return code was not 0
|
|
# argument 2 is a description of the test for logging
|
|
# argument 3 and higher are the executable and arguments
|
|
local result_type=$1
|
|
shift
|
|
local desc="$1"
|
|
shift
|
|
test_start "$desc"
|
|
record "[CMD: $@]"
|
|
"$@" >>"$TEST_OF" 2>&1
|
|
local code=$?
|
|
case $result_type in
|
|
ZERO_RC)
|
|
if [ $code -ne 0 ]; then
|
|
test_failure "expected zero return code, got $code"
|
|
else
|
|
test_success
|
|
fi
|
|
;;
|
|
|
|
NONZERO_RC)
|
|
if [ $code -eq 0 ]; then
|
|
test_failure "expected non-zero return code"
|
|
else
|
|
test_success
|
|
fi
|
|
;;
|
|
|
|
*)
|
|
test_failure "unknown TEST type '$result_type'"
|
|
;;
|
|
esac
|
|
test_end
|
|
}
|
|
|
|
|
|
tests() {
|
|
# TLS: auth search to (local)host - expect success
|
|
exe_test ZERO_RC "TLS-auth-host" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldaps://$PRIMARY_HOSTNAME/ -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD"
|
|
|
|
# TLS: auth search to localhost - expect failure ("hostname does not match CN in peer certificate")
|
|
exe_test NONZERO_RC "TLS-auth-local" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldaps://127.0.0.1/ -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD"
|
|
|
|
# TLS: anon search - expect failure (anon bind disallowed)
|
|
exe_test NONZERO_RC "TLS-anon-host" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldaps://$PRIMARY_HOSTNAME/ -x
|
|
|
|
# CLEAR: auth search to host - expected failure (not listening there)
|
|
exe_test NONZERO_RC "CLEAR-auth-host" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldap://$PRIVATE_IP/ -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD"
|
|
|
|
# CLEAR: auth search to localhost - expect success
|
|
exe_test ZERO_RC "CLEAR-auth-local" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldap://127.0.0.1/ -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD"
|
|
|
|
# CLEAR: anon search - expect failure (anon bind disallowed)
|
|
exe_test NONZERO_RC "CLEAR-anon-local" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldap://127.0.0.1/ -x
|
|
|
|
# STARTTLS: auth search to localhost - expected failure ("hostname does not match CN in peer certificate")
|
|
exe_test NONZERO_RC "STARTTLS-auth-local" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldap://127.0.0.1/ -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -ZZ
|
|
|
|
# STARTTLS: auth search to host - expected failure (not listening there)
|
|
exe_test NONZERO_RC "STARTTLS-auth-host" \
|
|
ldapsearch -d 1 -b "dc=mailinabox" -H ldap://$PRIVATE_IP/ -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" -ZZ
|
|
|
|
}
|
|
|
|
|
|
test_fail2ban() {
|
|
test_start "fail2ban"
|
|
|
|
# reset fail2ban
|
|
record "[reset fail2ban]"
|
|
fail2ban-client unban --all >>$TEST_OF 2>&1 ||
|
|
test_failure "Unable to execute unban --all"
|
|
|
|
# create regular user with password "alice"
|
|
local alice="alice@somedomain.com"
|
|
create_user "$alice" "alice"
|
|
local alice_dn="$ATTR_DN"
|
|
|
|
# log in a bunch of times with wrong password
|
|
local n=0
|
|
local total=25
|
|
local banned=no
|
|
record '[log in 25 times with wrong password]'
|
|
while ! have_test_failures && [ $n -lt $total ]; do
|
|
ldapsearch -H $LDAP_URL -D "$alice_dn" -w "bad-alice" -b "$LDAP_USERS_BASE" -s base "(objectClass=*)" 1>>$TEST_OF 2>&1
|
|
local code=$?
|
|
record "TRY $n: result code $code"
|
|
|
|
if [ $code -eq 255 -a $n -gt 5 ]; then
|
|
# banned - could not connect
|
|
banned=yes
|
|
break
|
|
|
|
elif [ $code -ne 49 ]; then
|
|
test_failure "Expected error code 49 (invalidCredentials), but got $code"
|
|
continue
|
|
fi
|
|
|
|
let n+=1
|
|
if [ $n -lt $total ]; then
|
|
record "sleep 1"
|
|
sleep 1
|
|
fi
|
|
done
|
|
|
|
if ! have_test_failures && [ "$banned" == "no" ]; then
|
|
# wait for fail2ban to ban
|
|
record "[waiting for fail2ban]"
|
|
record "sleep 5"
|
|
sleep 5
|
|
ldapsearch -H ldap://$PRIVATE_IP -D "$alice_dn" -w "bad-alice" -b "$LDAP_USERS_BASE" -s base "(objectClass=*)" 1>>$TEST_OF 2>&1
|
|
local code=$?
|
|
record "$n result: $code"
|
|
if [ $code -ne 255 ]; then
|
|
test_failure "Expected to be banned after repeated login failures, but wasn't"
|
|
fi
|
|
fi
|
|
|
|
# delete alice
|
|
delete_user "$alice"
|
|
|
|
# reset fail2ban
|
|
record "[reset fail2ban]"
|
|
fail2ban-client unban --all >>$TEST_OF 2>&1 ||
|
|
test_failure "Unable to execute unban --all"
|
|
|
|
# done
|
|
test_end
|
|
}
|
|
|
|
|
|
suite_start "ldap-connection"
|
|
|
|
tests
|
|
test_fail2ban
|
|
|
|
suite_end
|
|
|