1   /*
2    *   Copyright 2004 The Apache Software Foundation
3    *
4    *   Licensed under the Apache License, Version 2.0 (the "License");
5    *   you may not use this file except in compliance with the License.
6    *   You may obtain a copy of the License at
7    *
8    *       http://www.apache.org/licenses/LICENSE-2.0
9    *
10   *   Unless required by applicable law or agreed to in writing, software
11   *   distributed under the License is distributed on an "AS IS" BASIS,
12   *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   *   See the License for the specific language governing permissions and
14   *   limitations under the License.
15   *
16   */
17  package org.apache.ldap.server.authz;
18  
19  
20  import java.util.HashSet;
21  
22  import javax.naming.NamingEnumeration;
23  import javax.naming.NamingException;
24  import javax.naming.directory.Attributes;
25  import javax.naming.directory.DirContext;
26  import javax.naming.directory.SearchControls;
27  import javax.naming.directory.SearchResult;
28  
29  import org.apache.ldap.common.exception.LdapNoPermissionException;
30  import org.apache.ldap.common.message.LockableAttributesImpl;
31  import org.apache.ldap.server.AbstractNonAdminTestCase;
32  
33  
34  /***
35   * Tests the Authorization service to make sure it is enforcing policies
36   * correctly.
37   *
38   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
39   * @version $Rev: 264732 $
40   */
41  public class AuthorizationServiceAsNonAdminTest extends AbstractNonAdminTestCase
42  {
43      /***
44       * Makes sure a non-admin user cannot delete the admin account.
45       *
46       * @throws NamingException if there are problems
47       */
48      public void testNoDeleteOnAdminByNonAdmin() throws NamingException
49      {
50          try
51          {
52              sysRoot.destroySubcontext( "uid=admin" );
53              fail( "User 'admin' should not be able to delete his account" );
54          }
55          catch ( LdapNoPermissionException e )
56          {
57              assertNotNull( e );
58          }
59      }
60  
61  
62      /***
63       * Makes sure a non-admin user cannot rename the admin account.
64       *
65       * @throws NamingException if there are problems
66       */
67      public void testNoRdnChangesOnAdminByNonAdmin() throws NamingException
68      {
69          try
70          {
71              sysRoot.rename( "uid=admin", "uid=alex" );
72              fail( "admin should not be able to rename his account" );
73          }
74          catch ( LdapNoPermissionException e )
75          {
76              assertNotNull( e );
77          }
78      }
79  
80  
81      /***
82       * Makes sure the a non-admin user cannot rename the admin account.
83       */
84      public void testModifyOnAdminByNonAdmin()
85      {
86          Attributes attributes = new LockableAttributesImpl();
87          attributes.put( "userPassword", "replaced" );
88  
89          try
90          {
91              sysRoot.modifyAttributes( "uid=admin",
92                      DirContext.REPLACE_ATTRIBUTE, attributes );
93              fail( "User 'uid=admin' should not be able to modify attributes on admin" );
94          } catch( Exception e ) { }
95      }
96  
97  
98      /***
99       * Makes sure the admin can see all entries we know of on a subtree search.
100      *
101      * @throws NamingException if there are problems
102      */
103     public void testSearchSubtreeByNonAdmin() throws NamingException
104     {
105         SearchControls controls = new SearchControls();
106         controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
107 
108         HashSet set = new HashSet();
109         NamingEnumeration list = sysRoot.search( "",
110                 "(objectClass=*)", controls );
111         while ( list.hasMore() )
112         {
113             SearchResult result = ( SearchResult ) list.next();
114             set.add( result.getName() );
115         }
116 
117         assertTrue( set.contains( "ou=system" ) );
118         assertTrue( set.contains( "ou=groups,ou=system" ) );
119         assertFalse( set.contains( "cn=administrators,ou=groups,ou=system" ) );
120         assertTrue( set.contains( "ou=users,ou=system" ) );
121         assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
122         assertFalse( set.contains( "uid=admin,ou=system" ) );
123     }
124 }