1   /*
2    *   Copyright 2004 The Apache Software Foundation
3    *
4    *   Licensed under the Apache License, Version 2.0 (the "License");
5    *   you may not use this file except in compliance with the License.
6    *   You may obtain a copy of the License at
7    *
8    *       http://www.apache.org/licenses/LICENSE-2.0
9    *
10   *   Unless required by applicable law or agreed to in writing, software
11   *   distributed under the License is distributed on an "AS IS" BASIS,
12   *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   *   See the License for the specific language governing permissions and
14   *   limitations under the License.
15   *
16   */
17  package org.apache.ldap.server.authz;
18  
19  
20  import java.util.HashSet;
21  
22  import javax.naming.NamingEnumeration;
23  import javax.naming.NamingException;
24  import javax.naming.directory.*;
25  
26  import org.apache.ldap.common.exception.LdapNoPermissionException;
27  import org.apache.ldap.common.message.LockableAttributesImpl;
28  import org.apache.ldap.server.AbstractNonAdminTestCase;
29  
30  
31  /***
32   * Tests the Authorization service to make sure it is enforcing policies
33   * correctly.
34   *
35   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
36   * @version $Rev: 321432 $
37   */
38  public class AuthorizationServiceAsNonAdminTest extends AbstractNonAdminTestCase
39  {
40      /***
41       * Makes sure a non-admin user cannot delete the admin account.
42       *
43       * @throws NamingException if there are problems
44       */
45      public void testNoDeleteOnAdminByNonAdmin() throws NamingException
46      {
47          try
48          {
49              sysRoot.destroySubcontext( "uid=admin" );
50              fail( "User 'admin' should not be able to delete his account" );
51          }
52          catch ( LdapNoPermissionException e )
53          {
54              assertNotNull( e );
55          }
56      }
57  
58  
59      /***
60       * Makes sure a non-admin user cannot rename the admin account.
61       *
62       * @throws NamingException if there are problems
63       */
64      public void testNoRdnChangesOnAdminByNonAdmin() throws NamingException
65      {
66          try
67          {
68              sysRoot.rename( "uid=admin", "uid=alex" );
69              fail( "admin should not be able to rename his account" );
70          }
71          catch ( LdapNoPermissionException e )
72          {
73              assertNotNull( e );
74          }
75      }
76  
77  
78      /***
79       * Makes sure the a non-admin user cannot rename the admin account.
80       */
81      public void testModifyOnAdminByNonAdmin()
82      {
83          Attributes attributes = new LockableAttributesImpl();
84          attributes.put( "userPassword", "replaced" );
85  
86          try
87          {
88              sysRoot.modifyAttributes( "uid=admin",
89                      DirContext.REPLACE_ATTRIBUTE, attributes );
90              fail( "User 'uid=admin,ou=system' should not be able to modify attributes on admin" );
91          } catch( Exception e ) { }
92      }
93  
94  
95      /***
96       * Makes sure the admin can see all entries we know of on a subtree search.
97       *
98       * @throws NamingException if there are problems
99       */
100     public void testSearchSubtreeByNonAdmin() throws NamingException
101     {
102         SearchControls controls = new SearchControls();
103         controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
104 
105         HashSet set = new HashSet();
106         NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
107         while ( list.hasMore() )
108         {
109             SearchResult result = ( SearchResult ) list.next();
110             set.add( result.getName() );
111         }
112 
113         assertTrue( set.contains( "ou=system" ) );
114         assertTrue( set.contains( "ou=groups,ou=system" ) );
115         assertFalse( set.contains( "cn=administrators,ou=groups,ou=system" ) );
116         assertTrue( set.contains( "ou=users,ou=system" ) );
117         assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
118         assertFalse( set.contains( "uid=admin,ou=system" ) );
119     }
120 }