openldap2/0231-ITS-9468-Added-test-case-for-proxy-re-binding-anonym.patch

From 430ca1b323d92a4ec02bbeda0acb556467751ae6 Mon Sep 17 00:00:00 2001
From: Tero Saarni <tero.saarni@est.tech>
Date: Wed, 24 Feb 2021 18:24:31 +0200
Subject: [PATCH 231/238] ITS#9468 Added test case for proxy re-binding
 anonymously

---
 tests/data/regressions/its9468/its9468        | 421 ++++++++++++++++++
 .../data/regressions/its9468/slapd-proxy.conf |  81 ++++
 .../regressions/its9468/slapd-remote.conf     |  50 +++
 3 files changed, 552 insertions(+)
 create mode 100755 tests/data/regressions/its9468/its9468
 create mode 100644 tests/data/regressions/its9468/slapd-proxy.conf
 create mode 100644 tests/data/regressions/its9468/slapd-remote.conf

diff --git a/tests/data/regressions/its9468/its9468 b/tests/data/regressions/its9468/its9468
new file mode 100755
index 000000000..f79b48687
--- /dev/null
+++ b/tests/data/regressions/its9468/its9468
@@ -0,0 +1,421 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+ITS=9468
+ITSDIR=$DATADIR/regressions/its$ITS
+
+if test $BACKLDAP = "ldapno" ; then
+	echo "LDAP backend not available, test skipped"
+	exit 0
+fi
+if test $RWM = "rwmno" ; then
+        echo "rwm (rewrite/remap) overlay not available, test skipped"
+        exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2
+
+echo "This test checks back-ldap connection retry behavior when the connection"
+echo "to remote LDAP server is disconnected due to:"
+echo " - remote server disconnecting the proxy connection"
+echo " - proxy disconnecting the remote server connection due to timeout/ttl"
+
+#
+# Start slapd that acts as a remote LDAP server that will be proxied
+#
+echo "Running slapadd to build database for the remote slapd server..."
+. $CONFFILTER $BACKEND <  $ITSDIR/slapd-remote.conf > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+	echo "slapadd failed ($RC)!"
+	exit $RC
+fi
+
+echo "Starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+	echo SERVERPID $SERVERPID
+	read foo
+fi
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+		-D $MANAGERDN \
+		-w $PASSWD \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting $SLEEP0 seconds for slapd to start..."
+	sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $SERVERPID
+	exit $RC
+fi
+
+#
+# Start slapd that will proxy for the remote server
+#
+echo "Starting slapd proxy on TCP/IP port $PORT2..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy.conf > $CONF2
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+PROXYPID=$!
+if test $WAIT != 0 ; then
+	echo PROXYPID $PROXYPID
+	read foo
+fi
+KILLPIDS="$KILLPIDS $PROXYPID"
+
+echo "Using ldapsearch to check that slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITORDN" -H $URI2 \
+		-D "cn=Manager,dc=local,dc=com" \
+		-w $PASSWD \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting $SLEEP0 seconds for slapd to start..."
+	sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit $RC
+fi
+
+# Create fifo that is used to pass searches from the test case to ldapsearch without
+# disconnecting the client -> proxy connection
+rm -f $TESTDIR/ldapsearch.fifo
+mkfifo $TESTDIR/ldapsearch.fifo
+
+#############################################################################
+#
+# Test 1: Check that proxy WILL NOT try to re-establish connection and rebind
+# after server has disconnected the connection towards proxy.
+#
+# Proxy config is
+# - rebind-as-user no
+# - no idle-timeout of conn-ttl set
+#
+
+echo "Test 1"
+
+# Start ldapsearch on background and have it read search filters from fifo,
+# so that single client connection will persist over many searches
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=no-rebind,dc=no-timeout,$BASEDN" \
+	-D "cn=Barbara Jensen,dc=no-rebind,dc=no-timeout,$BASEDN" \
+	-w "bjensen"  \
+	-H $URI2 \
+	-f $TESTDIR/ldapsearch.fifo > $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$KILLPIDS $LDAPSEARCHPID"
+
+# Open fifo as file descriptor
+exec 3>$TESTDIR/ldapsearch.fifo
+
+# Trigger LDAP connections towards the proxy by executing a search
+echo 'objectclass=*' >&3
+# Wait for ldapsearch process on the background to catch up reading the fifo
+sleep 2
+
+# Check the number of bind operations that proxy has executed so far
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+	-H $URI2 \
+	-D "cn=Manager,dc=local,dc=com" \
+	-w $PASSWD \
+	-b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+	tee -a $TESTOUT | \
+	sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+# Restart the remote server to invalidate TCP connection between proxy and remote
+echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..."
+kill -HUP $SERVERPID
+sleep 2
+
+# When forking slapd on background, close filehandle 3 to avoid leaving fifo hanging uncloseable
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- &
+SERVERPID=$!
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+echo "Using ldapsearch to check that remote slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+		-D $MANAGERDN \
+		-w $PASSWD \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting $SLEEP0 seconds for slapd to start..."
+	sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit $RC
+fi
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+# Wait for ldapsearch process on the background to catch up reading the fifo
+sleep 2
+
+# Check how many binds have been executed after retry
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+	-H $URI2 \
+	-D "cn=Manager,dc=local,dc=com" \
+	-w $PASSWD \
+	-b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+	tee -a $TESTOUT | \
+	sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+	echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+	echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit 1
+fi
+
+#############################################################################
+#
+# Test 2: Check that proxy WILL re-establish connection and rebind after
+# remote server has disconnected the connection towards proxy.
+#
+# Proxy config is
+# - rebind-as-user yes
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 2"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=rebind,dc=no-timeout,$BASEDN" \
+	-D "cn=Barbara Jensen,dc=rebind,dc=no-timeout,$BASEDN" \
+	-w "bjensen"  \
+	-H $URI2 \
+	-f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+sleep 2
+
+echo "Killing and re-starting remote slapd server on TCP/IP port $PORT1..."
+kill -HUP $SERVERPID
+sleep 2
+
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 3>&- &
+SERVERPID=$!
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+echo "Using ldapsearch to check that remote slapd is running..."
+for i in 0 1 2 3 4 5; do
+	$LDAPSEARCH -s base -b "$MONITORDN" -H $URI1 \
+		-D $MANAGERDN \
+		-w $PASSWD \
+		'objectclass=*' > /dev/null 2>&1
+	RC=$?
+	if test $RC = 0 ; then
+		break
+	fi
+	echo "Waiting $SLEEP0 seconds for slapd to start..."
+	sleep $SLEEP0
+done
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit $RC
+fi
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+
+if test $RC != 0 ; then
+	echo "ldapsearch failed ($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit $RC
+fi
+
+#############################################################################
+#
+# Test 3: Check that proxy WILL NOT re-establish connection and rebind after
+# it disconnected the connection after idle-timeout or conn-ttl
+#
+# Proxy config is
+# - rebind-as-user no
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 3"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=no-rebind,dc=timeout,$BASEDN" \
+	-D "cn=Barbara Jensen,dc=no-rebind,dc=timeout,$BASEDN" \
+	-w "bjensen"  \
+	-H $URI2 \
+	-f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+# Wait for proxy->remote server timeout to expire
+sleep 4
+
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+	-H $URI2 \
+	-D "cn=Manager,dc=local,dc=com" \
+	-w $PASSWD \
+	-b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+	tee -a $TESTOUT | \
+	sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+	-H $URI2 \
+	-D "cn=Manager,dc=local,dc=com" \
+	-w $PASSWD \
+	-b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+	tee -a $TESTOUT | \
+	sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+	echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+	echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit 1
+fi
+
+#############################################################################
+#
+# Test 4: Check that proxy WILL NOT re-establish connection and rebind after
+# it disconnected the connection after idle-timeout or conn-ttl
+#
+# Proxy config is
+# - rebind-as-user yes
+# - no idle-timeout or conn-ttl set
+#
+
+echo "Test 4"
+
+echo "Make the proxy to connect the remote LDAP server..."
+$LDAPSEARCH -b "dc=rebind,dc=timeout,$BASEDN" \
+	-D "cn=Barbara Jensen,dc=rebind,dc=timeout,$BASEDN" \
+	-w "bjensen"  \
+	-H $URI2 \
+	-f $TESTDIR/ldapsearch.fifo >> $TESTOUT 2>&1 &
+LDAPSEARCHPID=$!
+KILLPIDS="$SERVERPID $PROXYPID $LDAPSEARCHPID"
+
+exec 3>$TESTDIR/ldapsearch.fifo
+
+echo 'objectclass=*' >&3
+# Wait for proxy->remote server timeout to expire
+sleep 4
+
+NUM_PROXY_BINDS_BEFORE=`$LDAPSEARCH -LLL \
+	-H $URI2 \
+	-D "cn=Manager,dc=local,dc=com" \
+	-w $PASSWD \
+	-b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+	tee -a $TESTOUT | \
+	sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Use ldapsearch to trigger proxy retry logic"
+echo 'objectclass=*' >&3
+sleep 2
+
+NUM_PROXY_BINDS_AFTER=`$LDAPSEARCH -LLL \
+	-H $URI2 \
+	-D "cn=Manager,dc=local,dc=com" \
+	-w $PASSWD \
+	-b "cn=Bind,cn=Operations,cn=database 2,cn=databases,cn=monitor" olmDbOperation | \
+	tee -a $TESTOUT | \
+	sed -n 's/^olmDbOperation: \(.*\)/\1/p'`
+
+echo "Checking if proxy tried to re-bind to the remote server"
+if test $NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER ; then
+	echo "Failure: expected proxy bind operation count not to increase ($NUM_PROXY_BINDS_BEFORE != $NUM_PROXY_BINDS_AFTER)"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit 1
+fi
+
+echo "Checking ldapsearch status"
+exec 3>&-
+wait $LDAPSEARCHPID
+RC=$?
+if test $RC != 52 ; then
+	echo "Failure: expected ldapsearch to return error unavailable (52) from proxy but got $RC"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+	exit 1
+fi
+
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS 2>/dev/null
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0
\ No newline at end of file
diff --git a/tests/data/regressions/its9468/slapd-proxy.conf b/tests/data/regressions/its9468/slapd-proxy.conf
new file mode 100644
index 000000000..a2bd893c8
--- /dev/null
+++ b/tests/data/regressions/its9468/slapd-proxy.conf
@@ -0,0 +1,81 @@
+# provider slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include		@SCHEMADIR@/core.schema
+include		@SCHEMADIR@/cosine.schema
+include		@SCHEMADIR@/inetorgperson.schema
+include		@SCHEMADIR@/openldap.schema
+include		@SCHEMADIR@/nis.schema
+pidfile		@TESTDIR@/slapd.m.pid
+argsfile	@TESTDIR@/slapd.m.args
+
+#######################################################################
+# database definitions
+#######################################################################
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/:../servers/slapd/overlays
+#mod#moduleload back_@BACKEND@.la
+#ldapmod#modulepath ../servers/slapd/back-ldap/
+#ldapmod#moduleload back_ldap.la
+#rwmmod#modulepath ../servers/slapd/overlays/
+#rwmmod#moduleload rwm.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+database    @BACKEND@
+suffix      "dc=local,dc=com"
+rootdn      "cn=Manager,dc=local,dc=com"
+rootpw      "secret"
+#~null~#directory       @TESTDIR@/db.2.a
+
+# proxy with default settings, used for test where remote server will disconnect the proxy connection
+database	ldap
+uri		"@URI1@"
+suffix		"dc=no-rebind,dc=no-timeout,dc=example,dc=com"
+monitoring	yes
+rebind-as-user	no
+overlay		rwm
+rwm-suffixmassage "dc=no-rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with rebind-as-user set, used for test where remote server will disconnect the proxy connection
+database	ldap
+uri		"@URI1@"
+suffix		"dc=rebind,dc=no-timeout,dc=example,dc=com"
+monitoring	yes
+rebind-as-user	yes
+overlay		rwm
+rwm-suffixmassage "dc=rebind,dc=no-timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with idle-timeout, used for test where proxy will disconnect the remote server connection
+database	ldap
+uri		"@URI1@"
+suffix		"dc=no-rebind,dc=timeout,dc=example,dc=com"
+monitoring	yes
+rebind-as-user	no
+idle-timeout	1
+overlay		rwm
+rwm-suffixmassage "dc=no-rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+# proxy with rebind-as-user and idle-timeout, used for test where proxy will disconnect the remote server connection
+database	ldap
+uri		"@URI1@"
+suffix		"dc=rebind,dc=timeout,dc=example,dc=com"
+monitoring	yes
+rebind-as-user	yes
+idle-timeout	1
+overlay		rwm
+rwm-suffixmassage "dc=rebind,dc=timeout,dc=example,dc=com" "ou=Information Technology Division,ou=People,dc=example,dc=com"
+
+database	monitor
\ No newline at end of file
diff --git a/tests/data/regressions/its9468/slapd-remote.conf b/tests/data/regressions/its9468/slapd-remote.conf
new file mode 100644
index 000000000..71fb1cb36
--- /dev/null
+++ b/tests/data/regressions/its9468/slapd-remote.conf
@@ -0,0 +1,50 @@
+# stand-alone slapd config -- for testing (with indexing)
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2021 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include		@SCHEMADIR@/core.schema
+include		@SCHEMADIR@/cosine.schema
+include		@SCHEMADIR@/inetorgperson.schema
+include		@SCHEMADIR@/openldap.schema
+include		@SCHEMADIR@/nis.schema
+include		@DATADIR@/test.schema
+
+#
+pidfile		@TESTDIR@/slapd.1.pid
+argsfile	@TESTDIR@/slapd.1.args
+
+# disable anonymous bind in order to catch ITS#9468
+disallow	bind_anon
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database	@BACKEND@
+suffix		"dc=example,dc=com"
+rootdn		"cn=Manager,dc=example,dc=com"
+rootpw		secret
+monitoring	on
+#null#bind		on
+#~null~#directory	@TESTDIR@/db.1.a
+#indexdb#index	objectClass     eq
+#indexdb#index	cn,sn,uid       pres,eq,sub
+#mdb#maxsize	33554432
+#ndb#dbname	db_1
+#ndb#include	@DATADIR@/ndb.conf
+
+database	monitor
\ No newline at end of file
-- 
2.32.0