1   /*
2    *   Copyright 2004 The Apache Software Foundation
3    *
4    *   Licensed under the Apache License, Version 2.0 (the "License");
5    *   you may not use this file except in compliance with the License.
6    *   You may obtain a copy of the License at
7    *
8    *       http://www.apache.org/licenses/LICENSE-2.0
9    *
10   *   Unless required by applicable law or agreed to in writing, software
11   *   distributed under the License is distributed on an "AS IS" BASIS,
12   *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   *   See the License for the specific language governing permissions and
14   *   limitations under the License.
15   *
16   */
17  package org.apache.ldap.server.authz;
18  
19  
20  import java.util.HashSet;
21  
22  import javax.naming.NamingEnumeration;
23  import javax.naming.NamingException;
24  import javax.naming.directory.Attributes;
25  import javax.naming.directory.DirContext;
26  import javax.naming.directory.SearchControls;
27  import javax.naming.directory.SearchResult;
28  
29  import org.apache.ldap.common.exception.LdapNoPermissionException;
30  import org.apache.ldap.common.message.LockableAttributesImpl;
31  import org.apache.ldap.server.AbstractAdminTestCase;
32  
33  
34  /***
35   * Tests the Authorization service to make sure it is enforcing policies
36   * correctly.
37   *
38   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
39   * @version $Rev: 264732 $
40   */
41  public class AuthorizationServiceAsAdminTest extends AbstractAdminTestCase
42  {
43      /***
44       * Makes sure the admin cannot delete the admin account.
45       *
46       * @throws NamingException if there are problems
47       */
48      public void testNoDeleteOnAdminByAdmin() throws NamingException
49      {
50          try
51          {
52              sysRoot.destroySubcontext( "uid=admin" );
53              fail( "admin should not be able to delete his account" );
54          }
55          catch ( LdapNoPermissionException e )
56          {
57              assertNotNull( e );
58          }
59      }
60  
61  
62      /***
63       * Makes sure the admin cannot rename the admin account.
64       *
65       * @throws NamingException if there are problems
66       */
67      public void testNoRdnChangesOnAdminByAdmin() throws NamingException
68      {
69          try
70          {
71              sysRoot.rename( "uid=admin", "uid=alex" );
72              fail( "admin should not be able to rename his account" );
73          }
74          catch ( LdapNoPermissionException e )
75          {
76              assertNotNull( e );
77          }
78      }
79  
80  
81      /***
82       * Makes sure the admin cannot rename the admin account.
83       *
84       * @throws NamingException if there are problems
85       */
86      public void testModifyOnAdminByAdmin() throws NamingException
87      {
88          Attributes attributes = new LockableAttributesImpl();
89          attributes.put( "userPassword", "replaced" );
90          sysRoot.modifyAttributes( "uid=admin", DirContext.REPLACE_ATTRIBUTE, attributes );
91          Attributes newAttrs = sysRoot.getAttributes( "uid=admin" );
92          assertEquals( "replaced", newAttrs.get( "userPassword" ).get() );
93      }
94  
95  
96      /***
97       * Makes sure the admin can see all entries we know of on a subtree search.
98       *
99       * @throws NamingException if there are problems
100      */
101     public void testSearchSubtreeByAdmin() throws NamingException
102     {
103         SearchControls controls = new SearchControls();
104 
105         controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
106 
107         HashSet set = new HashSet();
108 
109         NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
110 
111         while ( list.hasMore() )
112         {
113             SearchResult result = ( SearchResult ) list.next();
114 
115             set.add( result.getName() );
116         }
117 
118         assertTrue( set.contains( "ou=system" ) );
119 
120         assertTrue( set.contains( "ou=groups,ou=system" ) );
121 
122         assertTrue( set.contains( "ou=users,ou=system" ) );
123 
124         assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
125 
126         assertTrue( set.contains( "uid=admin,ou=system" ) );
127     }
128 }