From: Radosław Korzeniewski Date: Thu, 15 Oct 2020 16:49:44 +0000 (+0200) Subject: regress: Add BPAM LDAP Plugin regression tests X-Git-Tag: Release-11.3.2~921 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=217e8bb1327b7cec0b5ceeb77868b67c99d903ee;p=thirdparty%2Fbacula.git regress: Add BPAM LDAP Plugin regression tests --- diff --git a/regress/prototype.conf b/regress/prototype.conf index 5ca729ae2..be113d32a 100644 --- a/regress/prototype.conf +++ b/regress/prototype.conf @@ -33,13 +33,13 @@ SQLITE3_DIR=${HOME}/bacula/depkgs/sqlite3 # Set your database here #WHICHDB="--with-sqlite3=${SQLITE3_DIR}" #WHICHDB="--with-postgresql" -WHICHDB="--with-mysql" +WHICHDB="--with-mysql" # set to /dev/null if you do not have a tape drive # Note this is used for both the tape tests and the # autochanger TAPE_DRIVE="/dev/nst0" -# set to scsi control for shared storage +# set to scsi control for shared storage TAPE_CONTROL="/dev/null" # if you don't have an autochanger set AUTOCHANGER to /dev/null @@ -57,7 +57,7 @@ SLOT1=1 # what slot to use for the second tape SLOT2=2 -# For two drive tests -- set to /dev/null if you do not have it +# For two drive tests -- set to /dev/null if you do not have it TAPE_DRIVE1="/dev/null" # Set to second drive scsi control TAPE_CONTROL1="/dev/null" @@ -79,16 +79,16 @@ TCPWRAPPERS="--with-tcp-wrappers" # Set this to "" to disable OpenSSL support, "--with-openssl=yes" # to enable it, or provide the path to the OpenSSL installation, # eg "--with-openssl=/usr/local" -# -# Note, you can also add any other (as many as you want) special +# +# Note, you can also add any other (as many as you want) special # Bacula configuration options here, such as --disable-batch-insert # OPENSSL="--with-openssl $BAT" # Point RSYNC variable where your librsync 0.9.7b is installed -# you can compile librsync with +# you can compile librsync with # ./configure --with-pic --prefix=$HOME/dev/depkgs-rsync -# make +# make # make install # # Then use the following RSYNC variable in your regress config file @@ -96,9 +96,9 @@ OPENSSL="--with-openssl $BAT" RSYNC= # Point TOKYOCABINET variable where your tokyocabinet is installed -# you can compile tokyocabinet with +# you can compile tokyocabinet with # ./configure --with-pic --prefix=$HOME/dev/depkgs-tokyocabinet -# make +# make # make install # # Then use the following TOKYOCABINET variable in your regress config file @@ -145,7 +145,7 @@ SITE_NAME=bacula-${HOST} # is a real pain since the Win32 machine is not localhost and you # also need to specify what to backup. # There are a few Win32 tests e.g. tests/win32-test where this will -# work. You must specify the client name, its address, and a +# work. You must specify the client name, its address, and a # file (which may be a directory) on the machine to backup. # It will be backed up and restored to c:/tmp, but no checking # of the resulting restore data is done. @@ -176,7 +176,7 @@ WIN32_PASS=PasswordWin REMOTE_HOST_ADDR= # Name of this Director which will be validated remotely -# If we are the Director, you must put xxxx below. +# If we are the Director, you must put xxxx below. # Only on the remote director do you put the name # of this director in the HOST environment variable REMOTE_DIR_NAME="xxxxx" @@ -189,7 +189,7 @@ REMOTE_DIR_NAME="xxxxx" REMOTE_CLIENT="yyyy" # Client FQDN or IP address REMOTE_ADDR="yyyy" -# File or Directory to backup. This is put in the "File" directive +# File or Directory to backup. This is put in the "File" directive # in the FileSet REMOTE_FILE="/tmp" # Port of Win32 client @@ -209,3 +209,8 @@ REMOTE_STORE_ADDR="zzzz" # It should point to the mounted GPFS # #GPFSDIR=/gpfs + +# +# This is a location of `slapd` daemon required for LDAP testing +# +#SLAPD_DAEMON="/usr/sbin/slapd" diff --git a/regress/scripts/bacula-dir.auth-ldap-plugin.conf.in b/regress/scripts/bacula-dir.auth-ldap-plugin.conf.in new file mode 100644 index 000000000..a0888d44a --- /dev/null +++ b/regress/scripts/bacula-dir.auth-ldap-plugin.conf.in @@ -0,0 +1,128 @@ +# +# Default Bacula Director Configuration file +# +# The only thing that MUST be changed is to add one or more +# file or directory names in the Include directive of the +# FileSet resource. +# +# For Bacula release 1.39.27 (24 October 2006) -- debian testing/unstable +# +# You might also want to change the default email address +# from root to your address. See the "mail" and "operator" +# directives in the Messages resource. +# + +Director { # define myself + Name = @hostname@-dir + DIRPort = @dirport@ # where we listen for UA connections + QueryFile = "@scriptdir@/query.sql" + WorkingDirectory = "@working_dir@" + PidDirectory = "@piddir@" + Plugin Directory = "@sbindir@/plugins" + SubSysDirectory = "@subsysdir@" + Maximum Concurrent Jobs = 4 + Password = "pNvX1WiXnwv2C/F7E52LGvw6rKjbbPvu2kyuPa9pVaL3" + Messages = Daemon +} + +Console { + Name = ldaptest + Authentication Plugin = "ldap:binddn=@BINDDN@ bindpass=@BINDPASS@ url=ldap://localhost:3890 query=@LDAPQUERY@" + Password = "" + CommandACL = status, .status +} + +# Backup the catalog database (after the nightly save) +Job { + Name = "BackupCatalog" + Type = Backup + Client=@hostname@-fd + FileSet="Catalog" + Schedule = "WeeklyCycleAfterBackup" + Storage = File + Messages = Daemon + Pool = Default + # This creates an ASCII copy of the catalog + RunBeforeJob = "@sbindir@/make_catalog_backup -u regress" + # This deletes the copy of the catalog + RunAfterJob = "@sbindir@/delete_catalog_backup" + Write Bootstrap = "@working_dir@/BackupCatalog.bsr" + Max Run Time = 30min +} + +# Standard Restore template, to be changed by Console program +Job { + Name = "RestoreFiles" + Type = Restore + Client=@hostname@-fd + FileSet="Catalog" + Storage = File + Messages = Daemon + Pool = Default + Where = @tmpdir@/bacula-restores + Max Run Time = 30min +} + +# This schedule does the catalog. It starts after the WeeklyCycle +Schedule { + Name = "WeeklyCycleAfterBackup" + Run = Level=Full sun-sat at 1:10 +} + +# This is the backup of the catalog +FileSet { + Name = "Catalog" + Include { Options { signature=MD5 } + File=/home/kern/bacula/regress/bin/working/bacula.sql + } +} + +# Client (File Services) to backup +Client { + Name = @hostname@-fd + Address = @hostname@ + FDPort = @fdport@ + Catalog = MyCatalog + Password = "xevrjURYoCHhn26RaJoWbeWXEY/a3VqGKp/37tgWiuHc" # password for FileDaemon + File Retention = 30d # 30 days + Job Retention = 180d # six months + AutoPrune = yes # Prune expired Jobs/Files + Maximum Concurrent Jobs = 4 +} + +# Definiton of file storage device +Storage { + Name = File + Address = @hostname@ # N.B. Use a fully qualified name here + SDPort = @sdport@ + Password = "ccV3lVTsQRsdIUGyab0N4sMDavui2hOBkmpBU0aQKOr9" + Device = FileStorage + Media Type = File + Maximum Concurrent Jobs = 4 +} + +# Generic catalog service +Catalog { + Name = MyCatalog + @libdbi@ + dbname = @db_name@; user = @db_user@; password = "@db_password@" +} + +# +# Message delivery for daemon messages (no job). +Messages { + Name = Daemon + mailcommand = "@sbindir@/bsmtp -h @smtp_host@ -f \"\(Bacula regression\) %r\" -s \"Regression daemon message\" %r" +# mail = @job_email@ = all, !skipped + console = all, !skipped, !saved + append = "@working_dir@/log" = all, !skipped +} + +# Default pool definition +Pool { + Name = Default + Pool Type = Backup + Recycle = yes # Bacula can automatically recycle Volumes + AutoPrune = yes # Prune expired volumes + Volume Retention = 365d # one year +} diff --git a/regress/scripts/bconsole.auth-ldap-plugin.conf.in b/regress/scripts/bconsole.auth-ldap-plugin.conf.in new file mode 100644 index 000000000..e62bf3ab5 --- /dev/null +++ b/regress/scripts/bconsole.auth-ldap-plugin.conf.in @@ -0,0 +1,16 @@ +# +# Bacula User Agent (or Console) Configuration File +# + +Director { + Name = @hostname@-dir + DIRPort = @dirport@ + address = @hostname@ + Password = "shoozudah0io7eipohyachait1oothee9oGu2AejieThadai" +} + +Console { + Name = ldaptest + Password = "bconsole-unused-pw" + Director = @hostname@-dir +} diff --git a/regress/scripts/copy-ldap-auth-plugin-confs b/regress/scripts/copy-ldap-auth-plugin-confs new file mode 100755 index 000000000..4baab496b --- /dev/null +++ b/regress/scripts/copy-ldap-auth-plugin-confs @@ -0,0 +1,8 @@ +#!/bin/sh +cp -f ${rscripts}/bacula-dir.auth-ldap-plugin.conf ${conf}/bacula-dir.conf +cp -f ${rscripts}/test-bacula-sd.conf ${conf}/bacula-sd.conf +cp -f ${rscripts}/test-bacula-fd.conf ${conf}/bacula-fd.conf +cp -f ${rscripts}/test-console.conf ${conf}/bconsole.conf +cp -f ${rscripts}/bconsole.auth-ldap-plugin.conf ${conf}/bconsole.auth-ldap-plugin.conf + +scripts/set_tape_options diff --git a/regress/scripts/do_sed b/regress/scripts/do_sed index 04dd51f82..a17c1c1ed 100755 --- a/regress/scripts/do_sed +++ b/regress/scripts/do_sed @@ -108,6 +108,9 @@ sed -f ${out} ${rscripts}/hdfs-plugin-test-bacula-dir.conf.in >${rscripts}/hdfs- sed -f ${out} ${rscripts}/cdp-plugin-test-bacula-dir.conf.in >${rscripts}/cdp-plugin-test-bacula-dir.conf sed -f ${out} ${rscripts}/cdp-plugin-test-bacula-sd.conf.in >${rscripts}/cdp-plugin-test-bacula-sd.conf +sed -f ${out} ${rscripts}/bacula-dir.auth-ldap-plugin.conf.in >${rscripts}/bacula-dir.auth-ldap-plugin.conf +sed -f ${out} ${rscripts}/bconsole.auth-ldap-plugin.conf.in >${rscripts}/bconsole.auth-ldap-plugin.conf + chmod 755 ${rscripts}/regress-config if test -f ${conf}/bacula-sd.conf ; then diff --git a/regress/scripts/regress-utils.sh b/regress/scripts/regress-utils.sh index 154ade148..51dd7b94d 100644 --- a/regress/scripts/regress-utils.sh +++ b/regress/scripts/regress-utils.sh @@ -31,7 +31,7 @@ setup_plugin_param() LPLUG=$1 if [ "x$debug" != "x" ] then - LPLUG="$LPLUG debug=1" + LPLUG="$LPLUG debug=1" fi export LPLUG } @@ -61,14 +61,14 @@ fi # do_regress_unittest() { -. scripts/functions -tname=$1 -tdirloc=$2 -make -C ${src}/${tdirloc} ${tname} -if test $? -eq 0; then - ${src}/${tdirloc}/${tname} -fi -exit $? + . scripts/functions + tname=$1 + tdirloc=$2 + make -C ${src}/${tdirloc} ${tname} + if test $? -eq 0; then + ${src}/${tdirloc}/${tname} + fi + exit $? } # @@ -283,3 +283,94 @@ else return 0 fi } + +# +# This is a simple common function which start a fresh, new local slapd +# available on ldap://localhost:3890 +# +# On ubuntu +# sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.slapd +# +start_local_slapd() +{ +if [ "x${SLAPD_DAEMON}" == "x" ] +then + S1=`which slapd | wc -l` + if [ $S1 -eq 0 ] + then + echo "slapd not found! required!" + exit 1 + fi + SLAPD_DAEMON="slapd" +fi + +rm -rf ${tmp}/ldap +mkdir ${tmp}/ldap + +db_name="database$$" +echo ${db_name} > ${tmp}/ldap_db_name + +ldaphome=/etc/openldap +if [ -d /etc/ldap ] +then + ldaphome=/etc/ldap +fi + +cat << END_OF_DATA > ${tmp}/ldap/slapd.conf +include ${ldaphome}/schema/core.schema +pidfile ${tmp}/slapd.pid +argsfile ${tmp}/slapd.args + +moduleload back_bdb.la +database bdb +suffix "dc=${db_name},dc=bacula,dc=com" +directory ${tmp}/ldap +rootdn "cn=root,dc=${db_name},dc=bacula,dc=com" +rootpw rootroot + +index cn,sn,uid pres,eq,approx,sub +index objectClass eq + +END_OF_DATA + +printf "Starting local slapd ... " +${SLAPD_DAEMON} -f ${tmp}/ldap/slapd.conf -h ldap://localhost:3890 -d0 & +SLAPD=$! +trap "kill $SLAPD" EXIT +sleep 5 + +cat << END_OF_DATA > ${tmp}/entries.ldif +dn: dc=$db_name,dc=bacula,dc=com +objectClass: dcObject +objectClass: organization +dc: $db_name +o: Example Corporation +description: The Example Corporation $db_name + +# Organizational Role for Directory Manager +dn: cn=root,dc=$db_name,dc=bacula,dc=com +objectClass: organizationalRole +cn: root +description: Directory Manager +END_OF_DATA + +ldapadd -f $tmp/entries.ldif -x -D "cn=root,dc=$db_name,dc=bacula,dc=com" -w rootroot -H ldap://localhost:3890 + +if [ $? -ne 0 ]; then + print_debug "ERROR: Need to setup ldap access correctly" + kill -INT `cat $tmp/slapd.pid` + exit 1; +fi + +echo "done" +} + +# +# simply stops a background slapd daemon +# +stop_local_slapd() +{ + trap - EXIT + kill -INT `cat ${tmp}/slapd.pid` + sleep 5 +} diff --git a/regress/tests/ldap-auth-plugin-test b/regress/tests/ldap-auth-plugin-test new file mode 100755 index 000000000..9ddc3f2ab --- /dev/null +++ b/regress/tests/ldap-auth-plugin-test @@ -0,0 +1,60 @@ +#!/bin/bash +# +# Copyright (C) 2020 Radosław Korzeniewski +# License: BSD 2-Clause; see file LICENSE-FOSS +# + +TestName="ldap-auth-plugin-test" +. scripts/functions +. scripts/regress-utils.sh + +mkdir -p ${tmp} + +scripts/cleanup +scripts/copy-ldap-auth-plugin-confs + +start_local_slapd + +# Authentication Plugin = "ldap:binddn=@BINDDN@ bindpass=@BINDPASS@ url=ldap://localhost:3890 query=@LDAPQUERY@" +db_name=`cat ${tmp}/ldap_db_name` +BINDDN="cn=root,dc=$db_name,dc=bacula,dc=com" +BINDPASS=rootroot +LDAPQUERY="dc=$db_name,dc=bacula,dc=com/(cn=%u)" + +out_sed="${tmp}/sed_tmp" +cp ${conf}/bacula-dir.conf ${tmp}/bacula-dir.conf +echo "s!@BINDDN@!${BINDDN}!g" >> ${out_sed} +echo "s!@BINDPASS@!${BINDPASS}!g" >> ${out_sed} +echo "s!@LDAPQUERY@!${LDAPQUERY}!g" >> ${out_sed} + +sed -i -f ${out_sed} ${tmp}/bacula-dir.conf +mv ${tmp}/bacula-dir.conf ${conf}/bacula-dir.conf +rm ${out_sed} + +start_test + +#export debug=1 + +cat << END_OF_DATA >${tmp}/bconcmds +@output /dev/null +messages +@$out ${tmp}/log.out +quit +END_OF_DATA + +run_bacula + +# now we should test authentication +printf "Authentication test ... " +estat=0 +printf "root\nrootroot\nstatus dir\n" | ${bin}/bconsole -p > ${tmp}/log1.out +if [ `grep Version: ${tmp}/log1.out | wc -l` -le 1 ] +then + printf "failed ... " + estat=1 +fi +echo "done" + +stop_bacula +stop_local_slapd +end_test