directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: rev 56220 - in incubator/directory/eve/trunk/jndi-provider/src: aspects/org/apache/eve/jndi java/org/apache/eve/jndi java/org/apache/eve/jndi/ibs test/org/apache/eve/jndi/ibs
Date Mon, 01 Nov 2004 09:54:18 GMT
Author: akarasulu
Date: Mon Nov  1 01:54:17 2004
New Revision: 56220

Added:
   incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Modified:
   incubator/directory/eve/trunk/jndi-provider/src/aspects/org/apache/eve/jndi/ProviderNexusAspect.java
   incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/EveContextFactory.java
   incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/InvocationMethodEnum.java
   incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
Log:
got the authorization service workign with some test cases - got much more to do though

Modified: incubator/directory/eve/trunk/jndi-provider/src/aspects/org/apache/eve/jndi/ProviderNexusAspect.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/aspects/org/apache/eve/jndi/ProviderNexusAspect.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/aspects/org/apache/eve/jndi/ProviderNexusAspect.java
Mon Nov  1 01:54:17 2004
@@ -166,7 +166,7 @@
 		call( public Attributes lookup( Name ) ) ||
         call( public void modify( Name, int, Attributes ) ) ||
         call( public void modify( Name, ModificationItem [] ) ) ||
-        call( public void modifyRdn( Name, String, boolean ) ) ||
+        call( public void modifyRn( Name, String, boolean ) ) ||
         call( public void move( Name, Name ) ) ||
         call( public void move( Name, Name, String, boolean ) ) ||
         call( public NamingEnumeration 

Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/EveContextFactory.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/EveContextFactory.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/EveContextFactory.java
Mon Nov  1 01:54:17 2004
@@ -359,8 +359,8 @@
 
 
         /*
-         * Create and add the Eve Exception service interceptor to both the
-         * before and onError interceptor chains.
+         * Create and add the Authentication service interceptor to before
+         * interceptor chain.
          */
         InvocationStateEnum[] state = new InvocationStateEnum[]{
             InvocationStateEnum.PREINVOCATION
@@ -378,6 +378,14 @@
         state = new InvocationStateEnum[]{ InvocationStateEnum.POSTINVOCATION };
         FilterService filterService = new FilterServiceImpl();
         interceptor = ( Interceptor ) filterService;
+        provider.addInterceptor( interceptor, state );
+
+        /*
+         * Create and add the Authorization service interceptor to before
+         * interceptor chain.
+         */
+        state = new InvocationStateEnum[]{ InvocationStateEnum.PREINVOCATION };
+        interceptor = new AuthorizationService( normalizer, filterService );
         provider.addInterceptor( interceptor, state );
 
         /*

Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/InvocationMethodEnum.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/InvocationMethodEnum.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/InvocationMethodEnum.java
Mon Nov  1 01:54:17 2004
@@ -44,7 +44,7 @@
     public static final String LOOKUP_NAME_STRINGARR_STR =
             "lookup(Name, String[])";
     /** name/signature for the add() method */
-    public static final String ADD_STR = "add()";
+        public static final String ADD_STR = "add()";
     /** name/signature for the delete() method */
     public static final String DELETE_STR = "delete()";
     /** name/signature for the hasEntry() method */
@@ -62,7 +62,7 @@
     public static final String MODIFY_NAME_MODIFICATIONITEMARR_STR =
             "modify(Name, ModificationItem[])";
     /** name/signature for the modifyRdn() method */
-    public static final String MODIFYRDN_STR = "modifyRdn()";
+    public static final String MODIFYRN_STR = "modifyRn()";
     /** name/signature for the move(Name, Name) method */
     public static final String MOVE_NAME_NAME_STR = "move(Name, Name)";
     /** name/signature for the move(Name, Name, String, boolean) method */
@@ -77,7 +77,7 @@
         LOOKUP_NAME_STRINGARR_STR,
         ADD_STR, DELETE_STR, HASENTRY_STR, ISSUFFIX_STR, LIST_STR,
         LOOKUP_NAME_STR, MODIFY_NAME_INT_ATTRIBUTES_STR,
-        MODIFY_NAME_MODIFICATIONITEMARR_STR, MODIFYRDN_STR,
+        MODIFY_NAME_MODIFICATIONITEMARR_STR, MODIFYRN_STR,
         MOVE_NAME_NAME_STR, MOVE_NAME_NAME_STRING_BOOL_STR, SEARCH_STR
     };
 
@@ -186,7 +186,7 @@
         map.put( "hasEntry", new InvocationMethodEnum[]{ HASENTRY } );
         map.put( "isSuffix", new InvocationMethodEnum[]{ ISSUFFIX } );
         map.put( "listSuffixes", new InvocationMethodEnum[]{ LISTSUFFIXES } );
-        map.put( "modifyRdn", new InvocationMethodEnum[]{ MODIFYRDN } );
+        map.put( "modifyRn", new InvocationMethodEnum[]{ MODIFYRDN } );
         map.put( "getSuffix", new InvocationMethodEnum[]{ GETSUFFIX } );
         map.put( "getMatchedDn", new InvocationMethodEnum[]{ GETMATCHEDDN } );
 

Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
Mon Nov  1 01:54:17 2004
@@ -17,17 +17,24 @@
 package org.apache.eve.jndi.ibs;
 
 
+import java.io.IOException;
 import javax.naming.Name;
 import javax.naming.NamingException;
+import javax.naming.ldap.LdapContext;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.ModificationItem;
+import javax.naming.directory.SearchControls;
 
-import org.apache.eve.RootNexus;
 import org.apache.eve.SystemPartition;
+import org.apache.eve.db.SearchResultFilter;
+import org.apache.eve.db.DbSearchResult;
 import org.apache.eve.exception.EveNoPermissionException;
 import org.apache.eve.jndi.BaseInterceptor;
 import org.apache.eve.jndi.Invocation;
 import org.apache.eve.jndi.InvocationStateEnum;
+import org.apache.eve.jndi.EveContext;
+import org.apache.ldap.common.name.NameComponentNormalizer;
+import org.apache.ldap.common.name.DnParser;
 
 
 /**
@@ -43,18 +50,34 @@
     /** the base distinguished {@link Name} for all users */
     private static final Name USER_BASE_DN = SystemPartition.getUsersBaseDn();
 
-    /** the root nexus to all database partitions */
-    private final RootNexus nexus;
+    /** the name parser used by this service */
+    private final DnParser dnParser;
 
 
     /**
      * Creates an authorization service interceptor.
      *
-     * @param nexus the root nexus to access all database partitions
+     * @param normalizer a schema enabled name component normalizer
+     * @param filterService a {@link FilterService} to register filters with
      */
-    public AuthorizationService( RootNexus nexus )
+    public AuthorizationService( NameComponentNormalizer normalizer,
+                                 FilterService filterService )
+            throws NamingException
     {
-        this.nexus = nexus;
+        try
+        {
+            this.dnParser = new DnParser( normalizer );
+        }
+        catch ( IOException e )
+        {
+            NamingException ne = new NamingException();
+            ne.setRootCause( e );
+            throw ne;
+        }
+
+        AuthorizationFilter filter = new AuthorizationFilter();
+        filterService.addLookupFilter( filter );
+        filterService.addSearchResultFilter( filter );
     }
 
 
@@ -79,7 +102,8 @@
                 throw new EveNoPermissionException( msg );
             }
 
-            if ( name.startsWith( USER_BASE_DN ) && ! principalDn.equals( ADMIN_DN
) )
+            if ( name.size() > 2 && name.startsWith( USER_BASE_DN )
+                    && ! principalDn.equals( ADMIN_DN ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to delete the user account: ";
@@ -144,7 +168,14 @@
         {
             Name principalDn = getPrincipal( invocation ).getDn();
 
-            if ( dn.startsWith( USER_BASE_DN ) && ! principalDn.equals( ADMIN_DN
) )
+            if ( dn == ADMIN_DN || dn.equals( ADMIN_DN ) && ! principalDn.equals(
ADMIN_DN ) )
+            {
+                String msg = "User " + principalDn;
+                msg += " does not have permission to modify the admin account.";
+                throw new EveNoPermissionException( msg );
+            }
+
+            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && ! principalDn.equals(
ADMIN_DN ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to modify the account of the";
@@ -203,12 +234,60 @@
                 throw new EveNoPermissionException( msg );
             }
 
-            if ( dn.startsWith( USER_BASE_DN ) && ! principalDn.equals( ADMIN_DN
) )
+            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && ! principalDn.equals(
ADMIN_DN ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to move or rename the user";
                 msg += " account: " + dn + ". Only the admin can move or";
                 msg += " rename user accounts.";
+                throw new EveNoPermissionException( msg );
+            }
+        }
+    }
+    
+    
+    private class AuthorizationFilter implements SearchResultFilter, LookupFilter
+    {
+        public boolean accept( LdapContext ctx, DbSearchResult result, SearchControls controls
)
+                throws NamingException
+        {
+            Name dn;
+            synchronized( dnParser )
+            {
+                dn = dnParser.parse( result.getName() );
+            }
+
+            Name principalDn = ( ( EveContext ) ctx ).getPrincipal().getDn();
+            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && ! principalDn.equals(
ADMIN_DN ) )
+            {
+                return false;
+            }
+
+            return true;
+        }
+
+
+        public void filter( LdapContext ctx, Name dn, Attributes entry ) throws NamingException
+        {
+            filter( ctx, dn );
+        }
+
+
+        public void filter( LdapContext ctx, Name dn, Attributes entry, String[] ids )
+                throws NamingException
+        {
+            filter( ctx, dn );
+        }
+
+
+        private void filter( LdapContext ctx, Name dn ) throws NamingException
+        {
+            Name principalDn = ( ( EveContext ) ctx ).getPrincipal().getDn();
+            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && ! principalDn.equals(
ADMIN_DN ) )
+            {
+                String msg = "Access to user account " + dn + " not permitted";
+                msg += " for user " + principalDn + ".  Only the admin can";
+                msg += " access user account information";
                 throw new EveNoPermissionException( msg );
             }
         }

Added: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
==============================================================================
--- (empty file)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Mon Nov  1 01:54:17 2004
@@ -0,0 +1,174 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.eve.jndi.ibs;
+
+
+import java.util.Hashtable;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.Attributes;
+
+import org.apache.eve.jndi.EveLdapContext;
+import org.apache.eve.jndi.AbstractJndiTest;
+import org.apache.eve.exception.EveNoPermissionException;
+import org.apache.ldap.common.message.LockableAttributesImpl;
+
+
+/**
+ * Tests the Authorization service to make sure it is enforcing policies
+ * correctly.
+ *
+ * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class AuthorizationServiceTest extends AbstractJndiTest
+{
+    EveLdapContext sysRootAsNonRootUser;
+
+
+    /**
+     * Set's up a context for an authenticated non-root user.
+     *
+     * @see AbstractJndiTest#setUp()
+     */
+    protected void setUp() throws Exception
+    {
+        // bring the system up
+        super.setUp();
+
+        // authenticate as akarasulu
+        Hashtable env = new Hashtable( );
+        env.put( Context.PROVIDER_URL, "ou=system" );
+        env.put( Context.INITIAL_CONTEXT_FACTORY, "org.apache.eve.jndi.EveContextFactory"
);
+        env.put( Context.SECURITY_PRINCIPAL, "uid=akarasulu,ou=users,ou=system" );
+        env.put( Context.SECURITY_CREDENTIALS, "test" );
+        InitialContext ictx = new InitialContext( env );
+        sysRootAsNonRootUser = ( EveLdapContext ) ictx.lookup( "" );
+    }
+
+
+    /**
+     * Makes sure the admin cannot delete the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    public void testNoDeleteOnAdminByAdmin() throws NamingException
+    {
+        try
+        {
+            sysRoot.destroySubcontext( "uid=admin" );
+            fail( "admin should not be able to delete his account" );
+        }
+        catch ( EveNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure a non-admin user cannot delete the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    public void testNoDeleteOnAdminByNonAdmin() throws NamingException
+    {
+        try
+        {
+            sysRootAsNonRootUser.destroySubcontext( "uid=admin" );
+            fail( sysRootAsNonRootUser.getPrincipal().getDn()
+                    + " should not be able to delete his account" );
+        }
+        catch ( EveNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure the admin cannot rename the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    public void testNoRdnChangesOnAdminByAdmin() throws NamingException
+    {
+        try
+        {
+            sysRoot.rename( "uid=admin", "uid=alex" );
+            fail( "admin should not be able to rename his account" );
+        }
+        catch ( EveNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure a non-admin user cannot rename the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    public void testNoRdnChangesOnAdminByNonAdmin() throws NamingException
+    {
+        try
+        {
+            sysRootAsNonRootUser.rename( "uid=admin", "uid=alex" );
+            fail( "admin should not be able to rename his account" );
+        }
+        catch ( EveNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure the admin cannot rename the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    public void testModifyOnAdminByAdmin() throws NamingException
+    {
+        Attributes attributes = new LockableAttributesImpl();
+        attributes.put( "userPassword", "replaced" );
+        sysRoot.modifyAttributes( "uid=admin", DirContext.REPLACE_ATTRIBUTE, attributes );
+        Attributes newAttrs = sysRoot.getAttributes( "uid=admin" );
+        assertEquals( "replaced", newAttrs.get( "userPassword" ).get() );
+    }
+
+
+//    /**
+//     * Makes sure the a non-admin user cannot rename the admin account.
+//     */
+//    public void testModifyOnAdminByNonAdmin()
+//    {
+//        Attributes attributes = new LockableAttributesImpl();
+//        attributes.put( "userPassword", "replaced" );
+//
+//        try
+//        {
+//            sysRootAsNonRootUser.modifyAttributes( "uid=admin",
+//                    DirContext.REPLACE_ATTRIBUTE, attributes );
+//            fail( sysRootAsNonRootUser.getPrincipal().getDn() +
+//                    " should not be able to modify attributes on admin" );
+//        } catch( Exception e ) { }
+//    }
+}

Mime
View raw message