1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.ldap.server.authz;
18
19
20 import java.util.HashSet;
21
22 import javax.naming.NamingEnumeration;
23 import javax.naming.NamingException;
24 import javax.naming.directory.Attributes;
25 import javax.naming.directory.DirContext;
26 import javax.naming.directory.SearchControls;
27 import javax.naming.directory.SearchResult;
28
29 import org.apache.ldap.common.exception.LdapNoPermissionException;
30 import org.apache.ldap.common.message.LockableAttributesImpl;
31 import org.apache.ldap.server.AbstractAdminTestCase;
32
33
34 /***
35 * Tests the Authorization service to make sure it is enforcing policies
36 * correctly.
37 *
38 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
39 * @version $Rev: 264732 $
40 */
41 public class AuthorizationServiceAsAdminTest extends AbstractAdminTestCase
42 {
43 /***
44 * Makes sure the admin cannot delete the admin account.
45 *
46 * @throws NamingException if there are problems
47 */
48 public void testNoDeleteOnAdminByAdmin() throws NamingException
49 {
50 try
51 {
52 sysRoot.destroySubcontext( "uid=admin" );
53 fail( "admin should not be able to delete his account" );
54 }
55 catch ( LdapNoPermissionException e )
56 {
57 assertNotNull( e );
58 }
59 }
60
61
62 /***
63 * Makes sure the admin cannot rename the admin account.
64 *
65 * @throws NamingException if there are problems
66 */
67 public void testNoRdnChangesOnAdminByAdmin() throws NamingException
68 {
69 try
70 {
71 sysRoot.rename( "uid=admin", "uid=alex" );
72 fail( "admin should not be able to rename his account" );
73 }
74 catch ( LdapNoPermissionException e )
75 {
76 assertNotNull( e );
77 }
78 }
79
80
81 /***
82 * Makes sure the admin cannot rename the admin account.
83 *
84 * @throws NamingException if there are problems
85 */
86 public void testModifyOnAdminByAdmin() throws NamingException
87 {
88 Attributes attributes = new LockableAttributesImpl();
89 attributes.put( "userPassword", "replaced" );
90 sysRoot.modifyAttributes( "uid=admin", DirContext.REPLACE_ATTRIBUTE, attributes );
91 Attributes newAttrs = sysRoot.getAttributes( "uid=admin" );
92 assertEquals( "replaced", newAttrs.get( "userPassword" ).get() );
93 }
94
95
96 /***
97 * Makes sure the admin can see all entries we know of on a subtree search.
98 *
99 * @throws NamingException if there are problems
100 */
101 public void testSearchSubtreeByAdmin() throws NamingException
102 {
103 SearchControls controls = new SearchControls();
104
105 controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
106
107 HashSet set = new HashSet();
108
109 NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
110
111 while ( list.hasMore() )
112 {
113 SearchResult result = ( SearchResult ) list.next();
114
115 set.add( result.getName() );
116 }
117
118 assertTrue( set.contains( "ou=system" ) );
119
120 assertTrue( set.contains( "ou=groups,ou=system" ) );
121
122 assertTrue( set.contains( "ou=users,ou=system" ) );
123
124 assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
125
126 assertTrue( set.contains( "uid=admin,ou=system" ) );
127 }
128 }