1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.ldap.server.authz;
18
19
20 import java.util.HashSet;
21
22 import javax.naming.NamingEnumeration;
23 import javax.naming.NamingException;
24 import javax.naming.directory.Attributes;
25 import javax.naming.directory.DirContext;
26 import javax.naming.directory.SearchControls;
27 import javax.naming.directory.SearchResult;
28
29 import org.apache.ldap.common.exception.LdapNoPermissionException;
30 import org.apache.ldap.common.message.LockableAttributesImpl;
31 import org.apache.ldap.server.AbstractNonAdminTestCase;
32
33
34 /***
35 * Tests the Authorization service to make sure it is enforcing policies
36 * correctly.
37 *
38 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
39 * @version $Rev: 264732 $
40 */
41 public class AuthorizationServiceAsNonAdminTest extends AbstractNonAdminTestCase
42 {
43 /***
44 * Makes sure a non-admin user cannot delete the admin account.
45 *
46 * @throws NamingException if there are problems
47 */
48 public void testNoDeleteOnAdminByNonAdmin() throws NamingException
49 {
50 try
51 {
52 sysRoot.destroySubcontext( "uid=admin" );
53 fail( "User 'admin' should not be able to delete his account" );
54 }
55 catch ( LdapNoPermissionException e )
56 {
57 assertNotNull( e );
58 }
59 }
60
61
62 /***
63 * Makes sure a non-admin user cannot rename the admin account.
64 *
65 * @throws NamingException if there are problems
66 */
67 public void testNoRdnChangesOnAdminByNonAdmin() throws NamingException
68 {
69 try
70 {
71 sysRoot.rename( "uid=admin", "uid=alex" );
72 fail( "admin should not be able to rename his account" );
73 }
74 catch ( LdapNoPermissionException e )
75 {
76 assertNotNull( e );
77 }
78 }
79
80
81 /***
82 * Makes sure the a non-admin user cannot rename the admin account.
83 */
84 public void testModifyOnAdminByNonAdmin()
85 {
86 Attributes attributes = new LockableAttributesImpl();
87 attributes.put( "userPassword", "replaced" );
88
89 try
90 {
91 sysRoot.modifyAttributes( "uid=admin",
92 DirContext.REPLACE_ATTRIBUTE, attributes );
93 fail( "User 'uid=admin' should not be able to modify attributes on admin" );
94 } catch( Exception e ) { }
95 }
96
97
98 /***
99 * Makes sure the admin can see all entries we know of on a subtree search.
100 *
101 * @throws NamingException if there are problems
102 */
103 public void testSearchSubtreeByNonAdmin() throws NamingException
104 {
105 SearchControls controls = new SearchControls();
106 controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
107
108 HashSet set = new HashSet();
109 NamingEnumeration list = sysRoot.search( "",
110 "(objectClass=*)", controls );
111 while ( list.hasMore() )
112 {
113 SearchResult result = ( SearchResult ) list.next();
114 set.add( result.getName() );
115 }
116
117 assertTrue( set.contains( "ou=system" ) );
118 assertTrue( set.contains( "ou=groups,ou=system" ) );
119 assertFalse( set.contains( "cn=administrators,ou=groups,ou=system" ) );
120 assertTrue( set.contains( "ou=users,ou=system" ) );
121 assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
122 assertFalse( set.contains( "uid=admin,ou=system" ) );
123 }
124 }