1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.ldap.server.authz;
18
19
20 import java.util.HashSet;
21
22 import javax.naming.NamingEnumeration;
23 import javax.naming.NamingException;
24 import javax.naming.directory.*;
25
26 import org.apache.ldap.common.exception.LdapNoPermissionException;
27 import org.apache.ldap.common.message.LockableAttributesImpl;
28 import org.apache.ldap.server.AbstractAdminTestCase;
29 import org.apache.ldap.server.subtree.SubentryService;
30
31
32 /***
33 * Tests the Authorization service to make sure it is enforcing policies
34 * correctly.
35 *
36 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
37 * @version $Rev: 306997 $
38 */
39 public class AuthorizationServiceAsAdminTest extends AbstractAdminTestCase
40 {
41 /***
42 * Makes sure the admin cannot delete the admin account.
43 *
44 * @throws NamingException if there are problems
45 */
46 public void testNoDeleteOnAdminByAdmin() throws NamingException
47 {
48 try
49 {
50 sysRoot.destroySubcontext( "uid=admin" );
51 fail( "admin should not be able to delete his account" );
52 }
53 catch ( LdapNoPermissionException e )
54 {
55 assertNotNull( e );
56 }
57 }
58
59
60 /***
61 * Makes sure the admin cannot rename the admin account.
62 *
63 * @throws NamingException if there are problems
64 */
65 public void testNoRdnChangesOnAdminByAdmin() throws NamingException
66 {
67 try
68 {
69 sysRoot.rename( "uid=admin", "uid=alex" );
70 fail( "admin should not be able to rename his account" );
71 }
72 catch ( LdapNoPermissionException e )
73 {
74 assertNotNull( e );
75 }
76 }
77
78
79 /***
80 * Makes sure the admin cannot rename the admin account.
81 *
82 * @throws NamingException if there are problems
83 */
84 public void testModifyOnAdminByAdmin() throws NamingException
85 {
86 Attributes attributes = new LockableAttributesImpl();
87 attributes.put( "userPassword", "replaced" );
88 sysRoot.modifyAttributes( "uid=admin", DirContext.REPLACE_ATTRIBUTE, attributes );
89 Attributes newAttrs = sysRoot.getAttributes( "uid=admin" );
90 assertEquals( "replaced", newAttrs.get( "userPassword" ).get() );
91 }
92
93
94 /***
95 * Makes sure the admin can see all entries we know of on a subtree search.
96 *
97 * @throws NamingException if there are problems
98 */
99 public void testSearchSubtreeByAdmin() throws NamingException
100 {
101 SearchControls controls = new SearchControls();
102 controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
103 HashSet set = new HashSet();
104 NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
105
106 while ( list.hasMore() )
107 {
108 SearchResult result = ( SearchResult ) list.next();
109 set.add( result.getName() );
110 }
111
112 assertTrue( set.contains( "ou=system" ) );
113 assertTrue( set.contains( "ou=groups,ou=system" ) );
114 assertTrue( set.contains( "ou=users,ou=system" ) );
115 assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
116 assertTrue( set.contains( "uid=admin,ou=system" ) );
117 }
118 }