1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.ldap.server.authz;
18
19
20 import org.apache.ldap.common.exception.LdapNoPermissionException;
21 import org.apache.ldap.common.name.LdapName;
22
23 import javax.naming.NamingException;
24 import javax.naming.directory.*;
25
26
27 /***
28 * Tests whether or not authorization around entry addition works properly.
29 *
30 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
31 * @version $Rev$
32 */
33 public class AddAuthorizationTest extends AbstractAuthorizationTest
34 {
35 /***
36 * Checks if a simple entry (organizationalUnit) can be added to the DIT at an
37 * RDN relative to ou=system by a specific non-admin user. If a permission exception
38 * is encountered it is caught and false is returned, otherwise true is returned
39 * when the entry is created. The entry is deleted after being created just in case
40 * subsequent calls to this method do not fail: the admin account is used to delete
41 * this test entry so permissions to delete are not required to delete it by the user.
42 *
43 * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
44 * @param password the password of this user
45 * @param entryRdn the relative DN, relative to ou=system where entry creation is tested
46 * @return true if the entry can be created by the user at the specified location, false otherwise
47 * @throws NamingException if there are problems conducting the test
48 */
49 public boolean checkCanAddEntryAs( String uid, String password, String entryRdn ) throws NamingException
50 {
51 Attributes testEntry = new BasicAttributes( "ou", "testou", true );
52 Attribute objectClass = new BasicAttribute( "objectClass" );
53 testEntry.put( objectClass );
54 objectClass.add( "top" );
55 objectClass.add( "organizationalUnit" );
56
57 try
58 {
59 LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
60 DirContext userContext = getContextAs( userName, password );
61 userContext.createSubcontext( entryRdn, testEntry );
62
63
64 DirContext adminContext = getContextAsAdmin();
65 adminContext.destroySubcontext( entryRdn );
66
67 return true;
68 }
69 catch ( LdapNoPermissionException e )
70 {
71 return false;
72 }
73 }
74
75
76 /***
77 * Checks to make sure group membership based userClass works for add operations.
78 *
79 * @throws NamingException if the test encounters an error
80 */
81 public void testGrantAddAdministrators() throws NamingException
82 {
83
84 createUser( "billyd", "billyd" );
85
86
87 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
88
89
90
91 createAccessControlSubentry( "administratorAdd", "{ " +
92 "identificationTag \"addAci\", " +
93 "precedence 14, " +
94 "authenticationLevel none, " +
95 "itemOrUserFirst userFirst: { " +
96 "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
97 "userPermissions { { " +
98 "protectedItems {entry, allUserAttributeTypesAndValues}, " +
99 "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
100
101
102
103 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
104
105
106 addUserToGroup( "billyd", "Administrators" );
107
108
109 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
110 }
111
112
113 /***
114 * Checks to make sure name based userClass works for add operations.
115 *
116 * @throws NamingException if the test encounters an error
117 */
118 public void testGrantAddByName() throws NamingException
119 {
120
121 createUser( "billyd", "billyd" );
122
123
124 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
125
126
127 createAccessControlSubentry( "billydAdd", "{ " +
128 "identificationTag \"addAci\", " +
129 "precedence 14, " +
130 "authenticationLevel none, " +
131 "itemOrUserFirst userFirst: { " +
132 "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
133 "userPermissions { { " +
134 "protectedItems {entry, allUserAttributeTypesAndValues}, " +
135 "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
136
137
138 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
139 }
140
141
142 /***
143 * Checks to make sure subtree based userClass works for add operations.
144 *
145 * @throws NamingException if the test encounters an error
146 */
147 public void testGrantAddBySubtree() throws NamingException
148 {
149
150 createUser( "billyd", "billyd" );
151
152
153 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
154
155
156 createAccessControlSubentry( "billyAddBySubtree", "{ " +
157 "identificationTag \"addAci\", " +
158 "precedence 14, " +
159 "authenticationLevel none, " +
160 "itemOrUserFirst userFirst: { " +
161 "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
162 "userPermissions { { " +
163 "protectedItems {entry, allUserAttributeTypesAndValues}, " +
164 "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
165
166
167 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
168 }
169
170
171 /***
172 * Checks to make sure <b>allUsers</b> userClass works for add operations.
173 *
174 * @throws NamingException if the test encounters an error
175 */
176 public void testGrantAddAllUsers() throws NamingException
177 {
178
179 createUser( "billyd", "billyd" );
180
181
182 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
183
184
185 createAccessControlSubentry( "anybodyAdd", "{ " +
186 "identificationTag \"addAci\", " +
187 "precedence 14, " +
188 "authenticationLevel none, " +
189 "itemOrUserFirst userFirst: { " +
190 "userClasses { allUsers }, " +
191 "userPermissions { { " +
192 "protectedItems {entry, allUserAttributeTypesAndValues}, " +
193 "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
194
195
196
197 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
198 }
199 }