From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 27 Apr 2020 23:24:16 -0700
Subject: [PATCH] Convert test077 to LDIF config

---
 tests/data/slapd-sasl-gssapi.conf |  65 ------------------
 tests/scripts/defines.sh          |   1 -
 tests/scripts/test077-sasl-gssapi | 108 ++++++++++++++++++++++++++++--
 3 files changed, 103 insertions(+), 71 deletions(-)
 delete mode 100644 tests/data/slapd-sasl-gssapi.conf

diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
deleted file mode 100644
index 611fc7097..000000000
--- a/tests/data/slapd-sasl-gssapi.conf
+++ /dev/null
@@ -1,65 +0,0 @@
-# stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-#
-include		@SCHEMADIR@/core.schema
-include		@SCHEMADIR@/cosine.schema
-#
-include		@SCHEMADIR@/corba.schema
-include		@SCHEMADIR@/java.schema
-include		@SCHEMADIR@/inetorgperson.schema
-include		@SCHEMADIR@/misc.schema
-include		@SCHEMADIR@/nis.schema
-include		@SCHEMADIR@/openldap.schema
-#
-include		@SCHEMADIR@/duaconf.schema
-include		@SCHEMADIR@/dyngroup.schema
-
-#
-pidfile		@TESTDIR@/slapd.1.pid
-argsfile	@TESTDIR@/slapd.1.args
-
-# SSL configuration
-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
-
-#
-rootdse 	@DATADIR@/rootdse.ldif
-
-#mod#modulepath	../servers/slapd/back-@BACKEND@/
-#mod#moduleload	back_@BACKEND@.la
-#monitormod#modulepath ../servers/slapd/back-monitor/
-#monitormod#moduleload back_monitor.la
-
-
-#######################################################################
-# database definitions
-#######################################################################
-
-database	@BACKEND@
-suffix          "dc=example,dc=com"
-rootdn          "cn=Manager,dc=example,dc=com"
-rootpw          secret
-#~null~#directory	@TESTDIR@/db.1.a
-#indexdb#index		objectClass eq
-#indexdb#index		mail eq
-#ndb#dbname db_1_a
-#ndb#include @DATADIR@/ndb.conf
-
-#monitor#database	monitor
-
-sasl-realm	@KRB5REALM@
-sasl-host	localhost
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 78dc1f8ae..76c85b442 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -108,7 +108,6 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
 SCHEMACONF=$DATADIR/slapd-schema.conf
 TLSCONF=$DATADIR/slapd-tls.conf
 TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
 GLUECONF=$DATADIR/slapd-glue.conf
 REFINTCONF=$DATADIR/slapd-refint.conf
 RETCODECONF=$DATADIR/slapd-retcode.conf
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index bde9006ca..322df60a4 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
         exit 0
 fi
 
-mkdir -p $TESTDIR $DBDIR1
+CONFDIR=$TESTDIR/slapd.d
+CONFLDIF=$TESTDIR/slapd.ldif
+
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
 cp -r $DATADIR/tls $TESTDIR
+$SLAPPASSWD -g -n >$CONFIGPWF
 
 echo "Starting KDC for SASL/GSSAPI tests..."
 . $SRCDIR/scripts/setup_kdc.sh
 
-echo "Running slapadd to build slapd database..."
-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+echo "Configuring slapd..."
+cat > $CONFLDIF <<EOF
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcSaslHost: localhost
+olcSaslRealm: $KRB5REALM
+olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
+olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
+olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file://$ABS_SCHEMADIR/core.ldif
+
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcRootPW:< file://$TESTDIR/configpw
+
+EOF
+$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
 RC=$?
 if test $RC != 0 ; then
 	echo "slapadd failed ($RC)!"
@@ -38,7 +63,7 @@ if test $RC != 0 ; then
 fi
 
 echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 PID=$!
 if test $WAIT != 0 ; then
     echo PID $PID
@@ -141,6 +166,79 @@ else
 	fi
 fi
 
+if test $WITH_TLS = no ; then
+        echo "TLS support not available, skipping channe-binding test"
+elif test $HAVE_SASL_GSS_CBIND = no ; then
+        echo "SASL has no channel-binding support in GSSAPI, test skipped"
+else
+	echo "Testing SASL/GSSAPI with SASL_CBINDING..."
+
+	for acb in "none" "tls-unique" "tls-endpoint" ; do
+
+		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
+		$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+replace: olcSaslCBinding
+olcSaslCBinding: ${acb}
+EOF
+		RC=$?
+		if test $RC != 0 ; then
+			echo "ldapmodify failed ($RC)!"
+			kill $KDCPROC
+			test $KILLSERVERS != no && kill -HUP $KILLPIDS
+			exit $RC
+		fi
+
+		for icb in "none" "tls-unique" "tls-endpoint" ; do
+
+			# The gnutls implemantation of "tls-unique" seems broken
+			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
+				if test $WITH_TLS_TYPE == gnutls  ; then
+					continue
+				fi
+			fi
+
+			fail="no"
+			if test $icb != $acb -a $acb != "none" ; then
+				# This currently fails in MIT, but it is planned to be
+				# fixed not to fail like in heimdal - avoid testing.
+				if test $icb = "none" ; then
+					continue
+				fi
+				# Otherwise unmatching bindings are expected to fail.
+				fail="yes"
+			fi
+
+			echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
+			echo -ne "(client: ${icb},\tserver: ${acb}): "
+
+			$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
+			-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
+			-o SASL_CBINDING=$icb > $TESTOUT 2>&1
+
+			RC=$?
+			if test $RC != 0 ; then
+				if test $fail = "no" ; then
+					echo "test failed ($RC)!"
+					kill $KDCPROC
+					test $KILLSERVERS != no && kill -HUP $KILLPIDS
+					exit $RC
+				fi
+			elif test $fail = "yes" ; then
+				echo "failed: command succeeded unexpectedly."
+				kill $KDCPROC
+				test $KILLSERVERS != no && kill -HUP $KILLPIDS
+				exit 1
+			fi
+
+			echo "success"
+			RC=0
+		done
+	done
+fi
+
+
 kill $KDCPROC
 test $KILLSERVERS != no && kill -HUP $KILLPIDS
 
-- 
2.29.2