1   /*
2    *   Copyright 2004 The Apache Software Foundation
3    *
4    *   Licensed under the Apache License, Version 2.0 (the "License");
5    *   you may not use this file except in compliance with the License.
6    *   You may obtain a copy of the License at
7    *
8    *       http://www.apache.org/licenses/LICENSE-2.0
9    *
10   *   Unless required by applicable law or agreed to in writing, software
11   *   distributed under the License is distributed on an "AS IS" BASIS,
12   *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   *   See the License for the specific language governing permissions and
14   *   limitations under the License.
15   *
16   */
17  package org.apache.ldap.server.authz;
18  
19  
20  import java.util.HashSet;
21  
22  import javax.naming.NamingEnumeration;
23  import javax.naming.NamingException;
24  import javax.naming.directory.*;
25  
26  import org.apache.ldap.common.exception.LdapNoPermissionException;
27  import org.apache.ldap.common.message.LockableAttributesImpl;
28  import org.apache.ldap.server.AbstractAdminTestCase;
29  import org.apache.ldap.server.subtree.SubentryService;
30  
31  
32  /***
33   * Tests the Authorization service to make sure it is enforcing policies
34   * correctly.
35   *
36   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
37   * @version $Rev: 306997 $
38   */
39  public class AuthorizationServiceAsAdminTest extends AbstractAdminTestCase
40  {
41      /***
42       * Makes sure the admin cannot delete the admin account.
43       *
44       * @throws NamingException if there are problems
45       */
46      public void testNoDeleteOnAdminByAdmin() throws NamingException
47      {
48          try
49          {
50              sysRoot.destroySubcontext( "uid=admin" );
51              fail( "admin should not be able to delete his account" );
52          }
53          catch ( LdapNoPermissionException e )
54          {
55              assertNotNull( e );
56          }
57      }
58  
59  
60      /***
61       * Makes sure the admin cannot rename the admin account.
62       *
63       * @throws NamingException if there are problems
64       */
65      public void testNoRdnChangesOnAdminByAdmin() throws NamingException
66      {
67          try
68          {
69              sysRoot.rename( "uid=admin", "uid=alex" );
70              fail( "admin should not be able to rename his account" );
71          }
72          catch ( LdapNoPermissionException e )
73          {
74              assertNotNull( e );
75          }
76      }
77  
78  
79      /***
80       * Makes sure the admin cannot rename the admin account.
81       *
82       * @throws NamingException if there are problems
83       */
84      public void testModifyOnAdminByAdmin() throws NamingException
85      {
86          Attributes attributes = new LockableAttributesImpl();
87          attributes.put( "userPassword", "replaced" );
88          sysRoot.modifyAttributes( "uid=admin", DirContext.REPLACE_ATTRIBUTE, attributes );
89          Attributes newAttrs = sysRoot.getAttributes( "uid=admin" );
90          assertEquals( "replaced", newAttrs.get( "userPassword" ).get() );
91      }
92  
93  
94      /***
95       * Makes sure the admin can see all entries we know of on a subtree search.
96       *
97       * @throws NamingException if there are problems
98       */
99      public void testSearchSubtreeByAdmin() throws NamingException
100     {
101         SearchControls controls = new SearchControls();
102         controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
103         HashSet set = new HashSet();
104         NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
105 
106         while ( list.hasMore() )
107         {
108             SearchResult result = ( SearchResult ) list.next();
109             set.add( result.getName() );
110         }
111 
112         assertTrue( set.contains( "ou=system" ) );
113         assertTrue( set.contains( "ou=groups,ou=system" ) );
114         assertTrue( set.contains( "ou=users,ou=system" ) );
115         assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
116         assertTrue( set.contains( "uid=admin,ou=system" ) );
117     }
118 }