1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.ldap.server.authz;
18
19
20 import java.util.HashSet;
21
22 import javax.naming.NamingEnumeration;
23 import javax.naming.NamingException;
24 import javax.naming.directory.*;
25
26 import org.apache.ldap.common.exception.LdapNoPermissionException;
27 import org.apache.ldap.common.message.LockableAttributesImpl;
28 import org.apache.ldap.server.AbstractNonAdminTestCase;
29
30
31 /***
32 * Tests the Authorization service to make sure it is enforcing policies
33 * correctly.
34 *
35 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
36 * @version $Rev: 321432 $
37 */
38 public class AuthorizationServiceAsNonAdminTest extends AbstractNonAdminTestCase
39 {
40 /***
41 * Makes sure a non-admin user cannot delete the admin account.
42 *
43 * @throws NamingException if there are problems
44 */
45 public void testNoDeleteOnAdminByNonAdmin() throws NamingException
46 {
47 try
48 {
49 sysRoot.destroySubcontext( "uid=admin" );
50 fail( "User 'admin' should not be able to delete his account" );
51 }
52 catch ( LdapNoPermissionException e )
53 {
54 assertNotNull( e );
55 }
56 }
57
58
59 /***
60 * Makes sure a non-admin user cannot rename the admin account.
61 *
62 * @throws NamingException if there are problems
63 */
64 public void testNoRdnChangesOnAdminByNonAdmin() throws NamingException
65 {
66 try
67 {
68 sysRoot.rename( "uid=admin", "uid=alex" );
69 fail( "admin should not be able to rename his account" );
70 }
71 catch ( LdapNoPermissionException e )
72 {
73 assertNotNull( e );
74 }
75 }
76
77
78 /***
79 * Makes sure the a non-admin user cannot rename the admin account.
80 */
81 public void testModifyOnAdminByNonAdmin()
82 {
83 Attributes attributes = new LockableAttributesImpl();
84 attributes.put( "userPassword", "replaced" );
85
86 try
87 {
88 sysRoot.modifyAttributes( "uid=admin",
89 DirContext.REPLACE_ATTRIBUTE, attributes );
90 fail( "User 'uid=admin,ou=system' should not be able to modify attributes on admin" );
91 } catch( Exception e ) { }
92 }
93
94
95 /***
96 * Makes sure the admin can see all entries we know of on a subtree search.
97 *
98 * @throws NamingException if there are problems
99 */
100 public void testSearchSubtreeByNonAdmin() throws NamingException
101 {
102 SearchControls controls = new SearchControls();
103 controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
104
105 HashSet set = new HashSet();
106 NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
107 while ( list.hasMore() )
108 {
109 SearchResult result = ( SearchResult ) list.next();
110 set.add( result.getName() );
111 }
112
113 assertTrue( set.contains( "ou=system" ) );
114 assertTrue( set.contains( "ou=groups,ou=system" ) );
115 assertFalse( set.contains( "cn=administrators,ou=groups,ou=system" ) );
116 assertTrue( set.contains( "ou=users,ou=system" ) );
117 assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
118 assertFalse( set.contains( "uid=admin,ou=system" ) );
119 }
120 }